Skip to content Skip to footer site map

Navigate Up
Sign In
Home
Treasury For...
AboutExpand About
Resource CenterExpand Resource Center
Empty
ServicesExpand Services
InitiativesExpand Initiatives
CareersExpand Careers
Connect with Us
 

Privacy Act

 The Privacy Act Handbook

I. Background, Definitions & References

II. Applying Privacy Act to Records

III. Record Keeping Under the Privacy Act

IV. Publication Requirements

V. Privacy Act Statements, Social Security Numbers and Mailing Lists

VI. Accounting for Disclosures

VII. Requests for Notification and Access

VIII. Requests for Amendment

IX. Review of Denials of Amendment

X. Disclosure of Records

XI. Exemptions from the Privacy Act

XII. Review and Reporting Requirements

XIII. Contractors, Training, Rules of Conduct and Penalties for Non-compliance

XIV. Judicial Review

XV. Computer Matching

Appendix


 

I. Background, Definitions & References

A. Introduction

The Office of Privacy, Transparency, and Records, is issuing this handbook to carry out the provisions of the Privacy Act of 1974, as amended (5 U.S.C. 552a). The handbook establishes the Department of the Treasury’s guidelines and procedures for employees who maintain, collect, use, disseminate or amend records about individuals. Questions about this handbook or the Privacy Act should be directed to the Office of Privacy, Transparency, and Records at 202/622-0755. The handbook applies to all systems of records maintained by the Department of the Treasury. A system of records is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

B. Background

The Privacy Act of 1974, as amended, (“Privacy Act” or “the Act”) (5 U.S.C. 552a), Public Law 93-579, provides safeguards against an invasion of privacy through the misuse of records by Federal agencies. In general, the Act allows people to learn how records are collected, maintained, used, and disseminated by the Federal Government. The Act also permits individuals to gain access to their record or to any information pertaining to them which is contained in a system of records (subject to certain exceptions) and to seek amendment of any incorrect or incomplete information.

Broadly stated, the purpose of the Act is to balance the Government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from Federal agencies' collection, maintenance, use and disclosure of personal information about them.

The historical context of the Act is important to an understanding of its purposes. In 1974, Congress was concerned about the Watergate scandal and allegations of illegal surveillance and investigation of individuals by Federal agencies. Congress was also concerned with potential abuses presented by the Government's increasing use of computers to store and retrieve personal information by means of a single, universal identifier, such as an individual's social security number.

Specifically, the Act focuses on four policy objectives:

1. To establish a code of "fair information practices" that requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.

2. To restrict disclosure of any item, collection, or grouping of information about an individual maintained by agencies.

3. To grant individuals increased rights of access to records maintained about them.

4. To grant individuals the right to seek amendment of records maintained about them upon a showing that the records are not accurate, relevant, timely or complete.

C. Definitions

1. Access. Furnishing to or permitting review of a record or a copy of a record to the subject of the record or their authorized representative. Note: There is no provision in the Privacy Act for administrative appeal from denials of access. To address this gap in the law, it is Treasury’s policy is to provide maximum disclosure benefits by processing requests under both the Freedom of Information Act (FOIA) and the Privacy Act, thereby extending the FOIA appeal rights to also apply to access denials.

2. Accounting of Disclosure. A record which gives a description of the Privacy Act records that have been disclosed, the name and mailing address of the person or agency to whom the disclosure was made, the method and purpose of the disclosure, and the date of the disclosure.

3. Alteration to a system of records. Any change to an existing system of records including, but not limited to, adding new routine uses or modifying routine uses; increasing or changing the number or types of individuals on whom records are maintained; expanding the type or categories of information maintained; changing the manner in which records are organized or the manner in which records are indexed or retrieved so as to change the nature or scope of those records; changing the purpose for which the information is used; changing the equipment configuration (i.e., hardware, software, or both) on which the system is operated so as to create the potential for either greater or easier access; or causing a system of records to be withdrawn, suspended, canceled, terminated, and subsequently reinstated.

4. Amendment. A correction and/or addition to a record made pursuant to a request for amendment by the individual who is the subject of the record. A correction includes the removal of some word, phrase, sentence, paragraph, or page from the record, or altering an incorrect statement, date, etc. Addition may mean adding material that is furnished by the subject or a statement executed by the subject. Such a statement may or may not be sworn to or affirmed. As used throughout this handbook, the term "amendment" is meant to include both correction of or addition to a record.

5. Appeal. A request for review of an agency decision to refuse to grant a requested amendment of a record.

6. Appellate Official. The individual designated by the bureau pursuant to Treasury Directive (TD) 25-04 to either affirm or reverse the initial determination denying amendment of a record under the Privacy Act, when that initial determination is appealed by the requester.

7. Bureau. A unit of the Department of the Treasury. The bureaus of the Department of the Treasury are:

a. Departmental Offices:

1. The Office of Inspector General (OIG)

2. Treasury Inspector General for Tax Administration (TIGTA).

3. Special Inspector General for the Troubled Assets Relief Program (SIGTARP)

4. Community Development Financial Institutions Fund (CDFI).

5. Federal Financing Bank (FFB).

6. Treasury Forfeiture Fund.

7. Treasury Franchise Fund.

b. Alcohol and Tobacco Tax and Trade Bureau;

c. Office of the Comptroller of the Currency;

d. Bureau of Engraving and Printing;

e. Bureau of the Fiscal Service;

f. Internal Revenue Service;

g. United States Mint;

i. Financial Crimes Enforcement Network

8. Computer Matching Program. A procedure in which a computer is used to compare two or more automated systems of records or a system of records with a set of non-federal records to find individuals who are common to more than one system or dataset. The procedure includes all of the steps associated with the match, including obtaining the records to be matched; actual use of the computer; administrative and investigative action on the hits; and disposition of the personal records maintained in connection with the match. A single matching program may involve several matches among a number of participants.

9. Department. The Department of the Treasury, encompassing the Departmental Offices and all other Treasury bureaus.

10. Determination. An agency decision made by a Responsible Official to grant or deny access in whole or in part to a record which is part of a system of records; or to grant or deny a requested amendment of a record, in whole or in part, in a system of records of the Department.

11. Disclosure. Furnishing a record to a third party without the consent of the subject as permitted by subsection (b) of the Act.

12. Individual. A citizen of the United States or an alien lawfully admitted for permanent residence. This definition does not include corporations, partnerships, or other business organizational entities.

13. Maintain. Collecting, keeping, using, or disseminating records.

14. Privacy Act Statement. A statement contained on any form used to collect information from the subject, or on a separate form that can be retained by the individual, which specifies the statutory authority for collecting the data; indicates whether furnishing the data is mandatory or voluntary; if there is any effect for not furnishing the data; defines the purpose for collecting the data and primary use(s) which will be made of it; and states other probable routine uses, if any.

15. Record. As used in the Privacy Act, any item, collection, or grouping of information about an individual that is maintained by the Department of the Treasury and that contains the name, or an identifying number, symbol or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. The record may include, but is not limited to, the individual's education, financial transactions, medical history, and criminal or employment history.

16. Responsible Official. The system manager or the head of the organizational unit having immediate custody of the records and who has been delegated by the system manager to perform PA activities in accordance with TD 25-04.

17. Routine Use. With respect to the disclosure of a record outside of the agency maintaining it, the use of such a record for purposes which are compatible with the purpose for which the record was collected. The system notice, which is required to be published in the Federal Register, must contain a listing of all routine uses for the information in that system.

18. Statistical Record. A record in a system of records maintained for statistical research or reporting purposes only and not used in whole or part in making any determination about an identifiable individual, except as provided by 13 U.S.C. 8.

19. System Notice. A notice published in the Federal Register of each system of records being maintained by the Department. The publication of the system notice is required by the Act.

20. System of Records. A group of any records under the control of the Department from which information is retrieved by the name of an individual, or by some other identifying number, symbol, or particular assigned to an individual.

21. System Manager. The bureau official identified in a system notice as the manager of a system of records; and for Government-wide systems of records, the individual designated by the agency to act on behalf of the system manager.

D. References

1. Privacy Act of 1974, as amended, 5 U.S.C. 552a (Pub. L. 93-579).

(See: http://www.justice.gov/opcl/privacyact1974.htm)

2. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.

3. Treasury Directive 25-04, “The Privacy Act of 1974, As Amended,” dated August 26, 2010. (See: http://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/td25-04.aspx)

4. Treasury Notices of Systems of Records: (See: http://www.treasury.gov/privacy/issuances/Pages/handbook.aspx.)

5. Computer Matching and Privacy Protection Act of 1988 (Pub. L. l00-503).

6. Privacy Act Guidelines (OMB Circular A-108, July 1, 1975).

(See: http://www.whitehouse.gov/sites/default/files/omb/inforeg/implementation_guidelines.pdf)

7. OMB Final Guidance Interpreting the Provisions of Public Law 100-503, Computer Matching and Privacy Protection Act of 1988 (54 FR 25818), dated June 19, 1989. (See: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/final_guidance_pl100-503.pdf)

8. OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources (November 28, 2000)

(See: http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html)

9. Office of Personnel Management (OPM) Regulations 5 CFR 293.311 (See: http://www.gpo.gov/fdsys/granule/CFR-2011-title5-vol1/CFR-2011-title5-vol1-sec293-311/content-detail.html).

10. National Archives and Records Administration (NARA), General Records Schedule, dated September 2004. (See: http://www.archives.gov/records-mgmt/ardor/)

11. "Document Drafting Handbook," Office of the Federal Register, NARA.

(See: http://www.archives.gov/federal-register/write/handbook/chapters.html)

12. Department of Justice, Office of Information and Privacy, "Freedom of Information Act Guide & Privacy Act Overview," updated annually.

(See: http://www.justice.gov/oip/foia-guide.html)

13. "Guidelines on Relationship Between the Privacy Act of 1974 and the Debt Collection Act of 1982," dated March 30, 1983, (48 FR 15556, April 1, 1983).

(See: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/guidance1983.pdf)

14. “Department of the Treasury Security Manual,” TD P 15-71 , June 17, 2011. (See: http://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/td71-10.aspx))

15. National Archives and Records Administration, “Privacy Act Issuances” (See: http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=PAI).

16. Report of the Secretary's Advisory Committee on Automated Personal Data Systems, 1973 (See: http://aspe.hhs.gov/datacncl/privacy/pcmembrs.shtml)

17. Freedom of Information Act, 5 U.S.C. 552 (http://www.justice.gov/oip/foia-guide.html)

 

 TOP

 



 

II. Applying Privacy Act to Records

A. In general

B. Steps for Determining Whether the Privacy Act Applies

C. Systems Covered by the Act

D. Systems not Covered by the Act

E. Government- wide Systems of Records


II. Applying Privacy Act to Records

Summary: This chapter provides the criteria for determining whether a collection of records is subject to the Privacy Act. A listing of the Government-wide systems of records is provided at the end of the chapter.

A. In general

Before maintaining information about individuals, a determination should be made as to whether the Privacy Act applies to the information. Consideration should be given to whether information will be retrieved by name or personal identifier or whether the system can be operated without personal identifiers as a statistical system. A program office that needs to make a determination regarding the application of the Privacy Act to a collection of records should contact their bureau’s Privacy Act officer for assistance.

The Privacy Act, unlike the FOIA, has several definitions that limit the applicability of the Act’s requirements. The two major qualifications in the Act are found in the definition of “record” and “system of records,” and must be carefully considered when determining whether the information is a Privacy Act system of records. These qualifications are of particular importance when the records are in an information system or are the raw data logs generated to administer an automated system or network.

The determination that a particular set of records is subject to the Act obligates Treasury to publish a Privacy Act system of records notice (SORN) in the Federal Register; develop the Privacy Act statement for each form that is used to collect information from an individual; establish a means of providing the “accounting of disclosure” required by the Act; address the recordkeeping and safeguarding requirements; establish procedures for access to and amendment of the records; and if necessary, publish a rule exempting the system of records from provisions of the Act. (See Chapter 4 for guidance in publishing a PA notice.)

B. Steps for Determining Whether the Privacy Act Applies

1. First, make a determination about whether the information meets the Privacy Act definition of a “record.” It is important to note that the Privacy Act definition of this term is narrower than it is in the context of records management. The Privacy Act defines a record as follows:

Any item, collection, or grouping of information about an individual that is maintained by the Department and that contains the name, or an identifying number, symbol or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. The record may include, but is not limited to, the individual's education, financial transactions, medical history, and criminal or employment history.

2. Second, make a determination about whether the information will be operated as a “system of records.” The Privacy Act defines a system of records as the following:

A group of any records under the control of the Department from which information is retrieved by the name of an individual, or by some other identifying number, symbol, or particular assigned to an individual.

The use of names or personal identifiers to retrieve a record determines whether the record, regardless of whether it’s an electronic or paper record, is a "system of records" under the requirements of the Privacy Act.

3. Once a determination is made that information meets the Privacy Act definition of a record and that it will be operated as a system of records, the following questions should be considered:.

1. Is the information collected necessary to the conduct of an agency’s core program purposes?

2. Will information about individuals be collected?

3. What is the purpose for gathering information about individuals

4. Is the information being gathered as an administrative adjunct or as a means of organizing the information for use in a particular program (e.g., name of company, address, telephone number, e-mail address, subject area of program, fax number, name of contact person, etc.)?

5. Is the purpose to render a decision on the qualifications of a company, program or an individual?

6. Does the information collected take notice of any individual characteristics of an individual identified in the system? (e.g., educational or technological expertise, physical characteristic and/or makes a character judgement about an individual.)

7. Is the information being gathered for a law enforcement purpose?

8. Will identifying numbers associated with an individual be used to retrieve this information (i.e., SSN, name, badge number, etc.)? If so, even a few retrievals by an individual’s name will cause the system to be subject to the Privacy Act.

9. What are the agency’s actual retrieval practices? Is actual retrieval keyed to the individual by name or other identifier, or is the retrieval by individual identifier only done on an “ad hoc” basis, even if not retrieved in practice.

C. Systems Covered by the Act

The following are some examples of systems of records that are covered under the Act:

1. A paper or electronic system of files kept by a supervisor on each employee that includes information concerning hiring, promoting, or training of each employee, filed and retrieved by the employee’s name and/or Treasury Employee Identification Number (EMPLID).

2. A system of files containing information such as a contractor's personal address, experience, qualifications, references, etc., and retrieved by the individual's name.

3. A system of files with applications for employment that are filed and retrieved by the applicant’s name.

4. A system of files with applications for a grant program upon which a decision is made based on one or more personal characteristics of an individual, and retrieved by a computer-generated ID number assigned to the grant applicant..

5. A chronological file cross-referenced to an alphabetical listing by name

D. Systems not Covered by the Act

The following are some examples of a collection of records that are not covered under the Act:

1. Purely private notes maintained by a supervisor regarding employees, used as personal memory refreshers.

2. Folders named for each state or congressional district with no index by an individual's name.

3. Records filed by subject matter (e.g., "general correspondence," "employee grievances") or company names, with no separate indices which enable retrieval by an individual's name or assigned number or symbol.

4. A personal phone list, card index system or contact file maintained by individual employees to assist them in their work, enabling them to meet deadlines, call people in other bureaus, etc.

If the PA applies to the system of records, a determination should be made as to whether the records are already covered by an existing PA system of records, such as an Office of Personnel Management (OPM) Government-wide system, or an existing Treasury-wide or othersystem of records. If so, should the existing Treasury system notice be altered? For example:

1. Travel records that may fit into one Department-wide or Bureau system.

2. Personnel-type records into an "umbrella system" for all personnel records of a bureau, Department-wide system, or OPM Government-wide system.

3. Records that contain the same kinds of individuals, information, and routine uses, but are in different locations.

E. Government- wide Systems of Records

Eight Federal agencies have responsibility for one or more systems of records under the PA which contain records used and located in many or all Federal agencies. The records may be located in other agencies, but they are being used under the authority of and in conformance with the rules mandated by the publishing agency (i.e., OPM or the Department of Labor). These agencies have published notices for those systems of records for which they have responsibilities as the primary system manager. OMB Circular A-130 states: “agencies should not publish systems of records that wholly or partly duplicate existing Government-wide systems of records.” (61 FR 6439)

These agencies and the respective system number, system name, and the date and cite of its publication in the Federal Register are listed below:

1. Equal Employment Opportunity Commission.

EEOC/GOVT-1 -- Equal Employment Opportunity in the Federal Government Complaint and Appeals Records. Published July 30, 2002, at 67 FR 49338.

2. Environmental Protection Agency.

EPA-GOVT-2 -- Federal Docket Management System (FDMS). Published March 24, 2005, at 70 FR 15086.

3. DHS/Federal Emergency Management Agency.

DHS/FEMA/GOVT-1 -- National Defense Executive Reserve System Published January 7, 2009 at 74 FR 722.

4. Federal Retirement Thrift Investment Board

FRTIB-1 Thrift Savings Plan Records. Published: 64 FR 50092, September 15, 1999. Effective: January 3, 2000 (see 64 FR 67917, dated 12/3/1999)

5. General Services Administration.

a. GSA/GOVT-2 --Employment Under Commercial Activities Contracts. Published February 10, 1983 at 48 FR 6176.

b. GSA/GOVT-3-- Travel Charge Card Program. Published September 10, 2009, at 74 FR 46592.

c. GSA/GOVT-4 --Contracted Travel Service Program. Published April 25, 2008, at 73 FR 22401.

d. GSA/GOVT-5--Access Certificates for Electronic Services (ACES). Published April 25, 2008, at 73 FR 22380.

e. GSA/GOVT-6--GSA SmartPay[reg] Purchase Charge Card Program. Published April 25, 2008, at 73 FR 22376.

f. GSA/GOVT-7--Personal Identity Verification Identity Management System (PIV DMS). Published April 25, 2008, at 73 FR 22377.

g. GSA/GOVT-8--Excluded Parties List System (EPLS). Published April 25, 2008, at 73 FR 22374

h. GSA/CIO-1 System name: GSA Smart Card Program. Published October 25, 2006 at 71 FR 62469 (PIV Card system)

 

6. Department of Labor.

a. DOL/GOVT-1-- Office of Worker’s Compensation Programs, Federal Employees’ Compensation Act Files. Published September 23, 1993, at 58 FR 49556.

b. DOL/GOVT-2 -- Job Corps Student Records. Published September 23, 1993, at 58 FR 49558.

7. Merit Systems Protection Board. MSRB/GOVT-1 -- Appeal and Case Records. Published November 21, 2002 at 67 FR 70254.

8. Office of Government Ethics.

a. OGE/GOVT-1 -- Executive Branch Public Financial Disclosure Reports and Other Ethics Program Records. Published January 22, 2003, at 68 FR 3099.

b. OGE/GOVT-2 -- Confidential Statements of Employment and Financial Interests. Published January 22, 2003, at 68 FR 3101.

9. Office of Special Counsel

OSC/Govt-1– OSC complaint, Litigation and Political Activity Files. Published November 19, 1999, at 64 FR 63359.

10. Office of Personnel Management.

a. OPM/GOVT-1-- General Personnel Records. Published April 27, 2000, at 65 FR 24731.

b. OPM/GOVT-2-- Employee Performance File System Records. Published April 27, 2000, at 65 FR 24737.

c. OPM/GOVT-3-- Records of Adverse Action and Actions Based on Unacceptable Performance. Published April 27, 2000, at 65 FR 24739.

d. OPM/GOVT-5-- Recruiting, Examining, and Placement Records. Published April 27, 2000, at 65 FR 24741.

e. OPM/GOVT-6-- Personnel Research and Test Validation Records. Published April 27, 2000, at 65 FR 24744.

f. OPM/GOVT-7-- Applicant-Race, Sex, National Origin, and Disability Status Records April 27, 2000, at 65 FR 24746.

g. OPM/GOVT-9-- File on Position Classification Appeals, Job Grading Appeals, and Retained Grade or Pay Appeals. Published April 27, 2000, at 65 FR 24748.

h. OPM/GOVT-10-- Employee Medical File System. Published June 21, 2010, at 75 FR 35099.

11. Department of Transportation

DOT/ALL-8—Employee Transportation Facilitation. Published April 11, 2000, at 65 FR 19475

 

 

 TOP

 

III. Record Keeping Under the Privacy Act

A. General Requirements

B. First Amendment Rights

C. Information Collected from Third Parties

D. Restrictions on the Maintenance of Information about Individuals

E. Information collected by personal interviews

F. Maintaining Accurate, Relevant, Timely, and Complete Records

G. System Manager Responsibilities



III. Record Keeping Under the Privacy Act

Summary: This chapter identifies record management issues and restrictions imposed by the Act upon the collection and maintenance of information. The general requirements imposed on a system manager by the Act are also highlighted

A. General Requirements

The Act and Treasury Department regulations require that before an agency begins to accumulate information on individuals, it must realistically assess the need to maintain such information and have a plan for the collection, processing, use, storage, and disposition of information.

Each component shall establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

All employees involved in the design, development, operation or maintenance of any system of records subject to the PA should be aware of the provisions in the Act concerning the legality, relevance and necessity of the information maintained about any individual.

B. First Amendment Rights

 

No component shall maintain a record describing how any individual exercises rights guaranteed by the First Amendment. Although the Department may not keep records describing how any individual uses First Amendment rights, in certain instances records describing First Amendment rights may be maintained but only if the following conditions are met:

1. The law specifically authorizes it. For instance, an individual's religious affiliation is made known when verifying contributions above a specified amount on tax returns or describing contributions to tax exempt groups of which he or she is a member.

2. The individual expressly authorizes it. For example, the individual provides information regarding experience as a group leader in a political organization to demonstrate leadership skills when applying for a government position.

3. The record is pertinent to and within the scope of an authorized law enforcement activity in which political or religious activities may be used as a cover for illegal activities.

 

C. Information Collected from Third Parties

 

Since information collected from a third-party source could be erroneous, irrelevant, or biased, subsection (e)(2) of the Act provides that determinations which may adversely affect an individual's rights, benefits and/or privileges under a Federal program be made on the basis of information supplied by the record subject when practicable. This affects Department law enforcement activities connected with criminal and civil investigations where inquiries to third parties in gathering, soliciting and documenting evidence are necessary to develop cases.

Procedures should be periodically reviewed to be sure that they are consistent with subsection (e)(2) of the Act and should consider:

1. The nature of the program whereby information can only be gathered from third-party sources, such as employers and banks providing earning statements to the Social Security Administration and to the Internal Revenue Service;

2. The cost of collecting the information directly from individuals compared with the cost of collecting information from third parties;

3. The risk that inaccurate information could adversely affect the individual;

4. The need to ensure the accuracy of information supplied by the individual;

5. The need to ensure the accuracy of the information supplied by the third party by consulting with the individual involved before making a determination based on the third-party information.

D. Restrictions on the Maintenance of Information about Individuals

Subsection (e)(1) provides that each agency that maintains a system of records will "maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President."

1. The information must serve a purpose required by statute or Executive Order.

2. Information must be both relevant and necessary to accomplish the authorized purpose for which it was intended. To determine this, it must be established that a legitimate purpose will be served by the information being maintained consistent with the intent of the Act.

3. The factors considered in determining whether information is relevant and necessary may vary, depending on the needs in each specific case. Examples of some of these considerations are:

 

a. Does the information relate to the legal purpose for which the system is maintained?

b. What are the adverse consequences, if any, of not collecting this information?

c. Does information have to be used in an individually identifiable form?

d. Could a sampling of information be used or does information have to be collected on everyone in the system?

e. How long is it necessary to retain the information?

f. Even though the information may be relevant and necessary under the statute, is it specifically relevant and necessary only in certain areas?

4. The content of systems of records should be analyzed or reviewed periodically:

a. In connection with the initial design of a system of records; or

b. Whenever any change is proposed to an existing system of records; or

c. Whenever an individual requests deletion of information on the basis that it is not relevant and necessary. If the inclusion of this information is characteristic of the types of records collected throughout the system, but is truly not relevant and necessary, the system manager must correct the problem immediately.

5. Special attention should be paid to the design of an automated system. Since all the data elements to be included are known at the time of the initial design, careful consideration should be given to including only information that is specifically "relevant" and "necessary."

6. When preprinted forms are used to gather information, the design of the form should be tailored to gathering only relevant and necessary information.

 

E. Information collected by Personal Interviews

 

Special problems may be encountered when information is gathered in personal interviews or by using investigative procedures and recorded in narrative form. There is a greater risk of gathering information that is not truly relevant or necessary. Instructions to personnel should stress some of the following:

1. The use of judgment and discretion in determining the kind of information to be requested and recorded as it relates to the purpose of the investigation or inquiry.

2. The use of extreme caution when dealing with information that would not generally be made public by the individual involved. This information should be collected only if it can be shown that it bears a direct relationship to a particular case.

3. Even though a person volunteers information, this in itself does not permit recording it, unless it specifically relates to the reason for securing information.

4. Opinions and subjective impressions about individuals should be avoided unless they serve a purpose in the collection of the information. For example, an official may record these impressions when investigating potential crimes or when recommending further investigations. These impressions should be identified as such and, whenever possible, include factual data.

Review procedures should be set up and used by the system manager to identify any instances where irrelevant and unnecessary data may have been collected. Reviewers should be authorized to delete this information from the record, making a note that irrelevant information has been deleted during a review. Employees should be made aware of these instances so that they may better understand the importance of gathering only relevant and necessary material. Whenever the collection of irrelevant data appears to be a rather widespread problem, further guidance should be given or other corrective actions taken if warranted.

F. Maintaining Accurate, Relevant, Timely, and Complete Records

 

Subsection (e)(5) provides that each agency that maintains a system of records will "maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination." An exception to this requirement is when the agency has properly exempted a system of records from certain provisions of the Act pursuant to 5 U.S.C. 552a (j) and (k) [See Chapter 11].

Subsection (e)(6) provides that "prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section [the FOIA], make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes."

The nature of the information should be clearly stated, as when the information is based upon statements made by others, such as witnesses about an individual.

Completeness is essential when collecting information. However, it is also essential that only relevant and timely information be gathered.

There is a continuing responsibility to meet the requirements of subsections (e)(5) and (e)(6). Employees must be alert to the fact that notations made and actions taken may

have far-reaching effects on the rights of individuals. Employees must make every effort to assure that the records created will not result in any unfair determinations about any individual.

Employees who discover discrepancies should report them to the system manager so that review and appropriate action can be taken.

G. System Manager Responsibilities

System managers play a key role in the operation of the system of records under their control by ensuring compliance with the Privacy Act. They act as the primary point of contact for receipt of requests for review, access, amendment, and the accounting of disclosures. System managers are also responsible for notifying the Departmental or Bureau Disclosure Officer when establishing, maintaining, revising, or deleting a system of records. In addition to designing and developing the system of records, system managers are involved with initiatives for matching activities, and the disclosure and dissemination of information.

Each system manager should be aware of the requirements of the Privacy Act; OMB Circular A-130, Appendix I - “Federal Agency Responsibilities for Maintaining Records About Individuals,” 61 Federal Register 6428, dated February 20, 1996; Department of the Treasury Disclosure Regulations, 31 CFR Part 1, Subpart C; and Treasury Directive 25-04 “Implementation of the Privacy Act of 1974, as Amended.”

System managers are initially responsible for determining when information about individuals needs to be collected, what the policy objectives to be served by the collection are, and whether the collection is authorized by a statute or Executive Order. In assessing the need for the information the system manager should consider whether the agency really needs to use information that is individually identifiable or would a sampling procedure or other non-specific process suffice? The assessment should also consider what the financial cost associated with maintaining the information is, and what the risks or adverse consequences are to the agency of not collecting the information.

When developing the system, system managers need to be aware of the types of information required and its source. The Privacy Act prohibits the collection of information concerning how an individual exercises his or her First Amendment Rights, except under specific conditions, and it requires that information about an individual be obtained primarily from that individual, to the greatest extent practicable. This is particularly important when the individual may be denied a right or benefit by the Department based on information from third-party sources that may be erroneous, outdated, irrelevant or biased.

The system managers prescribe the policies and procedures used for maintaining the system of records which includes collection, access, storage, retention and disposal of the record.

System managers must also determine if the records qualify for exemption from certain provisions of the Privacy Act pursuant to 5 U.S.C. 552a (j) or (k) or if records may be compiled in anticipation of litigation.

System managers may need to evaluate the applicability of the Privacy Act to solicitations or contracts involving a Privacy Act system of records and should be familiar with the restrictions on its use by a contractor imposed by the Act.

The development of any plans by the system manager should be consistent with the intent of the Privacy Act and good record management policies and procedures and cover such areas as:

1. Administrative and physical controls for storing and safeguarding records to ensure the protection of the records system from unauthorized access or disclosure (e.g., physical security, personnel screening, etc.), and from physical damage or destruction;

2. Categories or level of employees within the agency who have access to the records for the performance of their duties;

3. Format or media in which the records are maintained (paper, electronic), how long the records will be maintained in their immediate office and when they are moved to a Federal Records Center, or turned over to the National Archives and Record Administration;

4. Criteria for determining at what point the records will have satisfied the purpose for which they were collected and when and how the records will be destroyed.

The system manager should be aware of any files or databases for which another agency has published a Government-wide system of records notice, and if so, how to process the request for notification, access and amendment in conformance with the policies mandated by the publishing agency.




IV. Publication Requirements

Summary: This chapter pertains to the drafting and publication of Privacy Act notices. The requirements of the Office of the Federal Register concerning Privacy Act notices and rulemaking documents are highlighted. The elements needed for a notice and report to OMB and Congress are also explained.

A. In General

Information about individuals cannot be collected for inclusion in a system of records until a notice of that system has been published in the Federal Register.

A system of records may be operated exclusively by a bureau; however, the Departmental Offices is responsible for publishing the system notice in the Federal Register.

Each component is responsible for preparing the required reports and notices of proposals to establish or alter a system of records. These notices and reports will be prepared in accordance with this handbook and the Office of Management and Budget (OMB) Circular No. A-130, Transmittal Memorandum # 4 (November 28, 2000). Material will be prepared for signature of the Deputy Assistant Secretary for Privacy, Transparency, and Records (DASPTR) for submission to the Office of the Federal Register, Congress, and the Office of Management and Budget. Letters transmitting reports to Congress shall be signed by the DASPTR.

The utmost care must be used in preparing the notice to establish or alter a system of records since the use or maintenance of such a system, except in accordance with an approved published notice, would not be allowed under the PA. An officer or employee of a component who willfully maintains a system of records without meeting the notice requirements of the Act may be found guilty of a misdemeanor and fined up to $5,000.

The public notice must be as simple and clear as possible and yet must achieve the objective of informing the public of the nature and purpose of the system of records. Therefore, care must be used in the tone, language, length, and amount of detail of the public notice.

Each component responsible for creating a new system of records or altering an existing system of records must first have its respective bureau legal counsel's approval of the notice documents. In addition, the final version of all system notices, reports, etc., must receive official concurrence by the bureau’s responsible officials and legal counsel before being submitted to the Departmental Disclosure Office.

A transmittal memorandum from the head of the component responsible for the office establishing or altering the system of records, explaining the action taken and the

reasons for the action, shall accompany the final package which is forwarded to the Office of Privacy, Transparency, and Records, Privacy and Civil Liberties for signature by the DASPTR.

B. When to Publish a System of Records Notice

There are several different circumstances under which a notice of a system of records must be published:

1. To establish or make significant alterations to a system of records. The documents needed to publish a notice establishing or altering a system of records must include the following:

a. Preamble and notice;

b. A report to OMB and Congress;

c. If an exemption is being claimed for the system, a proposed rule and a final rule must be published in the Federal Register as part of the rulemaking process.

2. To make minor changes to a system of records. A notice may be submitted to reflect minor modifications to an existing system of records. When required by the Departmental Disclosure Office, a memorandum shall be submitted demonstrating that the system does not fall within the criteria established for submitting a report on the system, and that there need be no interruption or delay in operating the system.

3. To delete a notice of a system of records. A notice may be deleted because the system was submitted in error, is not subject to the PA, has been discontinued, or is a duplication of an existing system. If it is important that the public be informed as soon as possible of the deletion, notice of the deletion may be given by proper notice in the Federal Register. When time is not a factor, the deletion may be part of the periodic updating of notices. Once deleted, reinstatement of the same system will require a new system report.

Each of the above documents will be prepared in draft form and submitted to the Office of Privacy, Transparency, and Records, Privacy and Civil Liberties for review prior to submission of the final package to the DASPTR.

A sample package of the above items is available from the Office of Privacy, Transparency, and Records, Privacy and Civil Liberties.

C. Federal Register notice documents

1. Format and Content of a Preamble. The document that the Department submits for publication in the Federal Register is to comply with the requirements of the Document Drafting Handbook published by the Office of the Federal Register (OFR).

This can be found on-line at: http://www.archives.gov/federal-register/write/handbook/ddh.pdf .

The document begins with a series of headings to identify the issuing agency, the subject matter and, if appropriate, the CFR title to be amended. This is followed by the “preamble,” which explains the purpose of the document being published but cannot contain any regulatory text. The last segment is the actual Privacy Act notice being published or amended.

Each PA notice or rule published in the Federal Register requires a preamble to inform the reader of the basis and purpose of the notice. The preamble contains the following captions and associated text as required by the Office of the Federal Register:

a. Agency: This caption should match the "Agency" and when appropriate, "Subagency" headings used at the top of the document. When a subagency and agency appear together, the subagency name is carried first and the agency name is represented by its commonly used acronym or other shortened expression. This caption may also identify a smaller organizational unit within the agency. (Examples: IRS, Treasury; or Departmental Offices, Treasury.)

b. Action: This caption is designed to identify the type of document being presented; i.e., Notice of a Proposed System of Records; Final Rule, etc. It is not to describe or summarize the substance of a document.

c. Summary: This caption explains the "why" and "what" of the document being issued. It is a brief description, written in language that a non-expert will understand. It should allow the reader to determine the subject, the reason for the action, and the intended effect of the document. The text of this caption should not attempt to prove a point or argue a case.

d. Date(s): This caption presents the "when" of a document. It includes the dates within a document that are essential to the notice or rulemaking process; i.e., the deadline for receipt of public comments, the effective date of a notice or rule, or other dates relevant to public knowledge of the process.

For the purposes of the PA, a specific date must be linked to the notice or rule being published in the Federal Register. To alert the Office of the Federal Register to the need to compute the correct date(s), the following phrase may be used: "[insert date 30 days after publication in the Federal Register]."

Please note that the Federal Register's calculation of dates after publication will automatically bump a date forward if that date falls on a weekend or a Federal holiday. In the event the 30-days date falls on a weekend the date is automatically jumped to Monday the 31st. It is standard so that the public will have a business day for a closing date. While weekend and holidays are counted within the period of days, the OFR will not let it fall on one unless it has specific instructions to do so.

e. Address(es): This caption explains the "where" of the document. It includes the address(es) where an individual may submit comments, attend a public hearing, or examine any relevant material in response to a proposed notice or rulemaking proceeding.

f. For Further Information Contact: Under this caption, the name and telephone number of a person within the agency who can answer questions about the notice or rulemaking should be included. Two or more persons may be listed as contacts regarding different aspects of a document.

g. Supplementary Information: Necessary information not identified by existing captions should be placed here. This caption should also contain any authority citation or other citation when appropriate. The text should be presented in language easily understood by the reader.

The cost of publishing the documents in the Federal Register is borne by the Treasury component submitting the documents. The "billing code" used by each component is listed in TD 28.01 and is to be printed at the top right-hand corner of the first page of the preamble.

2. Format and Content of the Notice. Since the notice is to assist an individual in determining if information on him/her might be in the system, the description of the categories should be clearly stated in non-technical terms which can be understood by people unfamiliar with data collection techniques. The notice contains certain prescribed data elements which are described below:

a. Identification of the component and the system number. The agency system identification number is assigned by the Treasury Department component establishing or altering the system of records. The system number follows the identification of the Treasury component responsible for the system (e.g., Treasury/DO .150).

b. System name: The system name should reflect the categories of individuals in the system and/or briefly describe the records in the system. The public should be able to determine from reading only the name whether the system covers Federal employees or the public; and, if it covers the public, what segment of the public is covered.

c. System location: The Department must specify each city/town and site where the system of records is located. However, exceptional situations may dictate not including the listing in the body of the notice; e.g., records kept in many locations such as regional and district offices nationwide. In these instances it may be appropriate to publish a list as an appendix.

d. Categories of individuals covered by the system: The purpose of this requirement is to assist an individual in determining if information on him/her might be in

the system. Therefore, the description of the categories should be clearly stated in non-technical terms understandable to people unfamiliar with data collection techniques.

e. Categories of records in the system: The category of records should briefly describe, in non-technical terms, the types of information contained in the system. The additions of new categories of records not within the categories described in a current notice requires the issuance of a revised public notice before the change is put into effect.

f. Authority for maintenance of the system: The authority for maintenance of the system should state the specific statutory authority or Executive Order that authorizes maintaining the system. The PA of 1974 is not authority for the collection or maintenance of any information.

g. Purpose(s): This element describes the objectives for collecting or maintaining information. The description should include all major purposes for which the records will be used by the agency.

h. Routine uses of records maintained in the system, including the categories of users and the purposes of such uses: The Act defines "routine use" as "with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected." Accordingly, this data element of the notice should identify the types of disclosures made from the system of records pursuant to 5 U.S.C. 552a(b)(3), the category of recipients, and the purpose of disclosure. The routine uses should be clearly and specifically stated so that they are understandable to the reader.

i. Disclosure to consumer reporting agencies: This element is included if information is to be disclosed to consumer reporting agencies to encourage repayment of an overdue debt pursuant to section 3 of the Debt Collection Act of 1982. If no such disclosure is to be made, this element should be omitted.

 

j. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Four separate units of information are required to describe how the records are maintained, safeguarded, accessed and retained:

(1) Storage: A description of the form in which the records are maintained (e.g., paper records, magnetic media).

(2) Retrievability: The way in which the system is indexed and accessed (e.g., by name, identification numbers, combinations of personal characteristics).

(3) Safeguards: An explanation of measures taken to prevent unauthorized disclosure of records (e.g., physical security, personnel screening) and categories of individuals within the agency who have access.

(4) Retention and disposal: How long the records are maintained; if they are moved to a Federal Records Center or to the National Archives and Records Administration; if and how they are destroyed. A statement may be made to reference the records disposition schedule used.

k. System Manager(s) and address: This section gives the title and business address of the agency official responsible, or officials if jointly responsible, for the system policies and practices outlined above. Personal names should not be included. Where locations are geographically dispersed (as in regional or district offices), the responsible official at each location should be listed in addition to the agency official responsible for the entire system. If the system does involve several managers and locations, they may be listed in an appendix. A contractor should not be designated as the system manager.

l. Notification procedures: The name of the agency office to which individuals should address their requests and the locations at which individuals may present a request to determine whether a system contains records pertaining to them. Include any identifying information that you require individuals to provide for the agency to ascertain whether a system contains a record about the individual. "Notification" is the "where and how" of determining if a PA system of records contains records pertaining to an individual. Where there are several locations for a single system of records, there may be a single system manager in charge of the entire system, and different personnel handling notification inquiries at each location. If the system involves several persons and locations, you may list them in an appendix. In order to avoid excessive delay and exchanges of correspondence, you should encourage individuals to request both notification and access at the same time.

m. Record access procedures: This describes the means by which individuals can find out how to gain access to records maintained about them. The agency official to contact should be provided or, if applicable, refer to "Notification Procedures." Any identifying information that individuals are required to provide for the agency to retrieve the necessary records should be given. Again, if applicable, a reference may be made to "Notification Procedures." Requesters should be advised to reasonably specify the record contents they seek. If the system is exempt from this provision, that fact should be stated.

n. Contesting record procedures: This section should describe the means by which individuals can contest a record. Requesters should be advised that they should reasonably identify the record and specify the information they are contesting and why they believe it is inaccurate, irrelevant, incomplete, untimely, or unnecessary. If the system is exempt from this provision, that fact should be stated.

o. Record source categories: This section should indicate in general terms the source of the information as well as whether the individual to whom the records pertain is a source of the information in the records. Guidance on withholding the identity of a source is contained in subsections (k)(2), (5) and (7) of the Act.

p. Exemptions claimed for the system: This identifies the subsections of the Act which permit the Department to exempt the system and the provisions of the Act from which the system is exempt. If the system is not to be exempt from provisions of the Act, this data element must be included with an indication of "None." See Chapter 10 for additional information pertaining to exemptions.

D. Report to OMB and Congress Requirements

1. Report on New Systems. The report on a new system is intended to provide an opportunity to examine the effect of the new system on citizens, the provision for confidentiality and security in such system and the extent to which the creation of the system will alter or change interagency or intergovernmental relationships related to information programs. The report should contain information which will meet these objectives. In applying the report criteria, a reasonable standard should be used to avoid excessive reporting of insignificant details which would have no meaningful effect upon PA consideration.

A report on a new system must be submitted when the establishment of a new system of records, subject to the PA, is proposed.

2. Report on An Altered System. A report is also required when an alteration to an existing system meets any of the following criteria:

a. The alteration increases the number or changes the types of individuals on whom records are maintained. A change involving the number, rather than the types, of individuals about whom records are kept need only be reported when that change significantly alters the character and purpose of the system of records. Normal increases in historical files or other increases in the number of records in a file which can be attributed to normal growth patterns need not be reported. Examples of changes which do not need to be reported are increases in the cases opened because of greater efficiency; increases in the number of requests for services rendered from the public; increases resulting from the continuous accumulation of records.

b. The alteration expands the type of categories of information maintained. For example, if an employee payroll file is expanded to include data on education and training, this would be considered an expansion of the type of categories of information maintained, and would have to be reported.

;c. The alteration changes the purpose for which the information is used.

 

d. The alteration changes the equipment configuration, hardware, and/or software that creates substantially greater access to the records in the system. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report. A report is not required for a routine acquisition of equipment, as long as the use of the acquired equipment is consistent with the use of the existing system, does not involve a risk of improper access or does not cause greater access to the information. The use of automated equipment for preparing a sort or analysis of information maintained in a manual system, without creating a continuing storage or retrieval capacity, does not constitute a change in configuration.

When a change to an information technology installation, telecommunications network, or any other general changes in information collection, processing, dissemination, or storage that affect multiple systems of records is made, a single consolidated new or altered system report may be submitted with changes to existing notices and supporting documentation included in the submission.

3. The following questions may be helpful in determining if a report needs to be submitted because of significant changes to the system of records:

a. Is this information presently included in an existing system of records?

No _____ If no, answer the following questions.

Yes _____ If yes, identify the system of records.

b. Will there be an increase or change in the number or types of individuals on whom records are maintained? If so, explain.

c. Will the type or categories of information maintained be expanded? If so, explain.

d. Will the nature or the scope of these records be changed by altering the manner in which the records are organized, indexed, retrieved, etc.? If so, explain.

e. Will this alter the purpose for which the information is used? If so, explain.

f. What is the current method of access to the system of records?

g. How are the records currently stored?

h. Will this be changed? If so, briefly explain how.

E. Format and Content of the Report

The report consists of a narrative statement and supporting documentation for review and approval by the Departmental Disclosure Officer. The statement should refer to information in the supporting documentation rather than restating this information.

The narrative statement should be brief, typically not exceeding four single-spaced pages, and should contain the following:

1. Introduction. Give background information. For example, for a revised system, provide information on when originally established, where notice was published in the Federal Register, and the last republication date, if different. For a new system, state why the system is needed. Note: If no changes to existing rules are required, this fact should be stated in the Introduction. If a new system of records or an alteration to an existing system will require the publication of a proposed and final rule amending 31 CFR 1.36, this fact should be disclosed as part of the report.

2. Purpose. For a new system, explain what the system will include and how it will be used. For a revised system, explain the necessity for revision. If the system is to be automated and greater access to the records in the system would result, explain in detail why this system is being automated and on what basis that determination was made (for example, the need for rapid retrieval as a result of a time-measurement study).

3. Authority. Identify the specific statutory provision or Executive Order that authorizes the maintenance of the system of records. The PA of 1974 is not authority for maintaining a system of records.

 

4. Probable Effect on Individual Privacy or Other Rights. This is an evaluation of the probable or potential effect of the proposed system of records on the privacy or other personal rights of individuals. How will the proposed new or altered system of records impact an individual’s privacy due to the purpose for which the information is collected or because of the manner in which it is disseminated? Will the effect be a reduction of salary, loss of eligibility in a Federal program, or cause the individual to be subject to administrative or civil proceedings or possible incarceration because of a violation of a criminal law?

If no adverse effect is determined, a statement should be made regarding the system’s minimal effect on individual privacy.

5. Security Provided for this System. Do not limit this item to physical security only. Include such things as the personnel who will have access and the title of the individual who determines the personnel access and, if applicable, the criteria for that determination. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. Since a more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established is to be made available to the Office of Management and Budget upon request, the assessment should be accomplished now and a copy provided to the Departmental Disclosure Office.

6. Compatibility of Routine Uses of Proposed System. Explain how each proposed routine use (i.e., disclosures outside the agency) satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains only to any newly proposed routine uses or any routine use to which an amendment is being proposed that increases the availability of PA records or amends the manner in which the records may be used.

7. Office of Management and Budget (OMB) Requirements. Provide OMB control numbers, expiration dates, and titles of any OMB-approved information collection requirements contained in the system of records. For example:

Title/Form Control Number Expiration Date

Suspicious Activity Report/ 1506-0001 4/30/06

TDF-90-22.47

If the request for OMB clearance of an information collection is pending, simply state the title of the collection and the date it was submitted for OMB clearance.

F. Timing

1. The schedule for submitting the report, notice and proposed rule to the Department for review and approval is determined by:

a. the date on which the bureau proposes to issue the data collection forms and/or instructions; and/or

b. the date on which the bureau begins to maintain information on individuals in the new or altered system.

2. The review and approval process involves three stages:

a. Departmental review and approval.

(1) Draft review: Bureaus should submit drafts of the report, preamble and notice, and any proposed rule to the Departmental Disclosure Office at least 90 days before the system of records is to be implemented.

(2) Final clearance: The final documents, along with the transmittal memo and risk assessment, must be submitted to the Departmental Disclosure Officer no less than 60 calendar days before the implementation of the system of records or the date on which the alteration to the system is to be made. This permits the required administrative and legal reviews to be conducted prior to the Assistant Secretary for Management and Chief Financial Officer's signature. If proposed and final rulemaking documents are submitted, then, in addition to the reviews conducted for approval by the Assistant Secretary for Management and Chief Financial Officer, the documents must be reviewed and approved by the Executive Secretary pursuant to TD 28-01.

b. Congressional and Office of Management and Budget review. The report, a copy of the system of records notice, and any proposed rule must be submitted to Congress and the Office of Management and Budget no less than 40 calendar days before targeted implementation.

c. Public review and comment. Review by the public requires that the new or revised system notice be published in the Federal Register no less than 30 calendar days before targeted implementation. If a bureau plans to exempt a system of records from provisions of the Act, a proposed regulation must provide for a 30-day comment period for the public. Separate publication of the final rule follows at a future date.

G. Inventory of the Department’s Systems of Records

The existing notices of systems of records will be published in their entirety by the Department of the Treasury every three years in the Federal Register. Bureau disclosure officers will be asked to review their system notices to make necessary changes. The systems of records notices will be reviewed periodically to ensure that they accurately describe the system. The Office of the Federal Register compiles and publishes a complete listing of all agencies' systems of records in the Federal Register's biennial compilation of system notices.

The Department also maintains its inventory of Privacy Act systems of records on its Privacy Act web page at http://www.treasury.gov/privacy/issuances/Pages/handbook.aspx.

The biennial publication of all Privacy Act issuances can be found at:

http://www.treasury.gov/privacy/issuances/Pages/handbook.aspx

 

 TOP


V. Privacy Act Statements, Social Security Numbers and Mailing Lists

A. Privacy act Statement

B. Use and Disclosure of Social Security Numbers

C. Sale or Rental of Mailing List



V. Privacy Act Statements, Social Security Numbers and Mailing Lists

Summary: This chapter explains the need for a Privacy Act statement and what that statement should contain. The chapter also discusses the use of the social security number under the Act and the prohibition on the use of mailing lists

A. Privacy act Statement

The PA requires that whenever an individual is asked to supply information about himself, herself, or a family member, that the individual be completely informed about the use to be made of the information; which information is mandatory and which is voluntary; and the cost or forfeiture that might be experienced in terms of money, time, lost opportunity or other measure of value if all or some of the information is not supplied.

The above applies not only to pre-printed forms such as an application for a position or a benefit, but to sign-in logs and all other documents which require an individual to disclose an identification number or some other identifying symbol. The above should also be provided verbally when information is being collected by an interview, subject to any exemption from provisions of the Privacy Act.

It should be noted that information collections or questionnaires, which are not subject to the PA because the records are not maintained in a system of records, do not require a Privacy Act statement.

The form or verbal instructions used by a bureau to collect data from an individual or a separate form that can be retained by the individual must contain the following information:

1. The authority, whether granted by statute or by Executive Order of the President, which authorizes the solicitation of the information and whether disclosure of this information is mandatory or voluntary. The specific provision of the statute or Executive Order which authorizes the collection of information must be cited. A bureau also needs to state if the individual is required to respond to the request for information or whether compliance is voluntary.

2. The principal purpose or purposes for which the information is intended to be used. When describing the principal purposes for which the information is to be used, the description must include all major purposes for which the record will be used by the agency, particularly those that might be used to determine an individual’s rights, benefit or entitlement.

3. The routine uses which may be made of the information, as published in the Federal Register. The description of the “routine uses” in the Privacy Act statement is based on the published routine uses found in the Privacy Act notice for the system of records in which the records will be maintained. The “routine uses” described in the Privacy Act statement may be a summary of the actual routine uses published in the notice, but it does need to inform individuals under what conditions the information will be disclosed outside the Department.

4. The effects on the individual, if any, of not providing all or any part of the requested information. This requirement is intended to allow the individual from whom information is being sought to know the good or bad effects of providing or not providing the information.

Any new form prepared by a bureau for collecting data must include the above four items if the records are maintained in a system of records. The office issuing the form is responsible for the preparation of the Privacy Act statement. Forms and questionnaires created in the bureaus are subject to the approval of the component's PA Officer.

If a form does not currently contain a statement and there is a need for one, the bureau’s PA Officer will assist in ensuring that the appropriate PA statement is included at the next printing of the data collection form.

B. Use and Disclosure of Social Security Numbers

1. It is unlawful to deny any right, benefit, or privilege provided by law to any individual because of that individual's refusal to disclose his or her social security account number.

However, this does not apply to:

 

a. Any disclosure that is required by statute; or

b. The disclosure of a social security number to any Federal, state, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted before that date for the purpose of verifying an identity.

 

2. Any bureau that asks an individual to disclose his or her social security account number will inform that individual:

 

a. Whether disclosure is mandatory or voluntary;

b. By what statutory or other authority such number is solicited; and

c. What uses will be made of it.

 

C. Sale or Rental of Mailing List

An individual's name and address shall not be sold or rented by a bureau unless such action is specifically authorized by law. This is not to be construed to require the withholding of names and addresses otherwise permitted to be made public.

 

 TOP


VI. Accounting for Disclosures

A. In General

B. Requirements

C. Procedure

D. Maintenance of Accounting Records

E. Access to Records of Disclosure

F. Processing Instructions

G. Records of Accounting Not Available to the Individual

 

VI. Accounting for Disclosures

Summary: This chapter tells about when and how to account for the disclosure of PA records; when the accounting is to be made available; how to process a request for the accounting; and when such accounting is not required to be made available to the individual.

A. In General

When a disclosure (either orally or in writing) is made from a PA system of records, the Act requires that a written record accounting for the disclosure be established. The accounting of the disclosure is to be maintained for a period of five years from the date of the disclosure, or for the life of the record, whichever is longer.

The purposes of the accounting are: (1) to allow individuals to learn to whom records about themselves have been disclosed; (2) to provide a basis for subsequently advising any person or agency to which disclosures have been made of any corrected or disputed records (see Chapter 8 of the Handbook); and (3) to provide audit trails for subsequent reviews of agency compliance with the disclosure requirements of the Act.

No accounting is required for disclosure of records when: (1) the individual has been given access to his/her own record; (2) disclosure is made to those officers and employees of the agency that maintains the record who have a need for the record in the performance of their duties; or (3) disclosure is required by the FOIA.

B. Requirements

The written record of a disclosure shall contain:

1. A description of the record disclosed;

2. The name, position title, and mailing address of the person to whom the disclosure was made;

3. The nature or purpose of the disclosure; and

4. The date of the disclosure.

 

C. Procedure

Accounting for disclosures need not be standardized throughout the Department; however, every office, division, or branch of each component that discloses such information, either orally or in writing, must maintain some written record of a disclosure or be able to reconstruct documentation listing all disclosures made outside the Department. Accounting records should:

1. Be established in the least expensive and most convenient form that will permit the system manager to advise individuals, promptly upon request, of what records concerning them have been disclosed and to whom.

2. Provide, at a minimum, a clear description of the record disclosed, the name and address of the person or agency to whom the disclosure is made, and the date, nature and purpose of the disclosure.

3. Be maintained for 5 years or until the record is destroyed. The accounting pertaining to records transferred to a Federal Records Center, unless maintained separately, shall be transferred with the records themselves.

D. Maintenance of Accounting Records

The written record of a disclosure may be maintained either with the record from which the disclosure was made, or elsewhere. However, the accounting record must be maintained in a manner that ensures retention for at least five years or for the life of the record and permits an accurate and complete response to any proper request for an accounting of all disclosures made.

If a record is maintained on magnetic tape or some other electronic format which precludes attaching a copy of the accounting, no duplicate need be prepared. However, a log shall be kept containing all the data required.

The method used to account for disclosures is not a system of records as defined by the Act. Therefore, it is not necessary to do an accounting of records disclosed from it.

E. Access to Records of Disclosure

An individual may request access to the accounting of disclosures of his/her records by submitting a request for such accounting to the responsible official. The request must be in writing, signed by the individual, and must be for an accounting of disclosures relating to records subject to the PA. Verification of identity requirements must be met. Requests seeking access to accountings of disclosure must be specific, generally stating the particular record and/or the system of records, and the location in which the records are maintained.

F. Processing Instructions

Time limits and general processing steps for requests for access to accountings of disclosure are consistent with those provided for general access requests. The responsible official will obtain the necessary accountings and prepare a response informing the requester that the listed items represent those accountings of disclosure that are maintained and required to be made available under the PA.

The listed items should include:

1. The description of the record disclosed;

2. The date, nature, and purpose of the disclosure; and

3. The name and address of the person or agency to whom each disclosure was made.

No appeal rights are provided.

G. Records of Accounting Not Available to the Individual

The records of disclosures which are made for law enforcement purposes, under 5 U.S.C. 552a(b)(7), will be maintained. However, these records of disclosure will not be made available to the individual. Therefore, it is recommended that accountings of such disclosures be maintained in such a manner that they can be readily identified and segregated from other accountings of disclosures in order to prevent inadvertent release of such information to the individual.

Systems of records that are exempt from certain requirements of the Act in accordance with subsections (j)(2) and (k) are still subject to the accounting of disclosures requirement of the Act; however an exemption shields the “accountings of disclosures” records from disclosure to the subject of the records. (See Chapter 11 for additional information on PA exemptions.)

 

 TOP


VII. Requests for Notification and Access

A. Notification and Access

B. Format of Request

C. Processing Requests for Notification and Access

D. Other Disclosure Requirements

E. Withholding a Record

F. Prohibition against the use of 5 U.S.C. 522(b) exemptions

G. Notice of Denial

H. Exempt Records

 

VII. Requests for Notification and Access

Summary: This chapter tells how to process requests for notification and access to records. It provides information needed to identify a valid request; how to process and respond to a request; and what needs to be considered when withholding information. It also discusses the interface between the Privacy Act and the Freedom of Information Act.

A. Notification and Access

Treasury employees are required to process PA requests for notification and access on a timely basis. "Notification" is the "where and how" of determining if a system contains records pertaining to the requesting individual.

1. Access to a Treasury system of records. Upon request, each bureau is to allow an individual to gain access to records or to any information pertaining to the individual which is contained in a system of records. The individual is to be permitted to review the record and have a copy made of all or any portion of the record in a form that is comprehensible. The individual will also be permitted to be accompanied by any person of the individual's choosing to review the record; however, the bureau may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence.

2. Access to a Government-wide system of records. As noted in Chapter 2, certain agencies publish systems of records containing records for which they have Government-wide responsibilities. The records may be located in other agencies, but they are being used under the authority of and in conformance with the rules mandated by the publishing agency. A request for notification, access and/or amendment should be processed in accordance with the instructions set out in the PA notice pertaining to the particular Government-wide system in which the record resides. In some cases, the agency which published the Government-wide notice permits the agency which has physical control of the record to make an initial decision with regard to the notification and access of the record. In other cases, the agency which is responsible for the Government-wide system of records requires the initial request to be submitted to that agency for a determination.

B. Format of Request

. Treasury employees are to make reasonable efforts to assist an oral requester to determine to which office a written request should be sent.

1. A request for notification of whether a record exists should:

 

a. Be made in writing and signed by the person about whom the record is maintained or such individual's duly authorized representative;

b. State that it is made pursuant to the Privacy Act, 5U.S.C. 552a, and marked "Privacy Act Request" on the request and on the envelope;

c. Give the name of the system or subsystem or categories of records to which access is sought, as specified in "Privacy Act Issuances" published by the Office of the Federal Register; or

d. Describe the nature of the record(s) sought in sufficient detail to enable Department personnel to locate the system of records containing the record with a reasonable amount of effort. Whenever possible, the request should include the date of the record or the period in which the record was compiled.

 

2. Employees responsible for processing requests for notification and access under the PA are to require proof of identity from individuals who have requested access. A requester appearing in person will be asked to establish his or her identity by:

 

a. Presenting either one document bearing a photograph, such as a passport or identification badge; or

b. Presenting two items of identification which do not bear a photograph but do bear both a name and address; or

c. Providing a notarized statement swearing or affirming to his or her identity and to the fact that he or she understands the penalties provided in the Act for requesting or obtaining access to records under false pretenses.

 

3. Requests for notification and access received by mail should not be processed unless the requester has established his or her identity in the request. Identity can be established by providing: (a) a signature; (b) an address, and (c) one other item of identification such as a photocopy of a driver's license or other document bearing the individual's signature.

A requester may also provide a notarized statement (see item 2.c., above) addressed to the office or officer of the component indicated for the particular system or subsystem or categories of records the individual wishes to access.

Alternatively, a requester may also provide an unsworn declaration subscribed to as true under penalty of perjury in accordance with 28 U.S.C. 1746. Following is an example of such a statement:

This is to verify that I am the individual who is the subject of the records requested above and that my address is:_______________________.

I understand the penalties provided in 5 U.S.C. 552a(i)(3) for requesting or obtaining access to records under false pretenses. I certify under penalty of perjury pursuant to 28 U.S.C. 1746 that the foregoing is true and correct.

Signature:_____________________ Date:______

 

4. Parent/Legal Guardian. In addition to the identification requirements discussed above, when a request is made by the parent or legal guardian of a minor, the attorney-in-fact of another, or the legal guardian of any individual who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, the request must:

a. Identify the requester's relationship to the subject of the record;

b. Furnish a copy of a birth certificate showing parentage or a court order establishing the guardianship; and

c. Contain sufficient information to permit a response to be forwarded to the requester.

 

C. Processing Requests for Notification and Access

1. Ten-Day Requirement. If a request for notification and access omits any information which is necessary in processing the request, the requester should be notified within 10 working days of the additional information which must be provided before the request can be processed.

2. Refining the Request. If the request is made for numerous systems of records or systems which could not possibly contain information relating to the requester, the system manager or the bureau’s Privacy Act Officer may need to contact the requester and provide assistance in refining the request (for example, by sending copies of pertinent notices of systems of records or copies of procedures to be followed when making a request).

3. Valid Requests. These should be forwarded to the system manager for processing and a response prepared or disclosure recommendations provided, depending upon the component's established procedures. A request for access to records should state:

a. Whether the requester wishes to inspect the records or desires to have a copy made and furnished without first inspecting them;

b. Whether the requester desires to have a copy made, state the firm agreement of the requester to pay the fees for duplication, after the first 100 pages have been provided at no charge, unless such fees are waived pursuant to that section by the system manager or other appropriate official.

 

Any request for access which does not comply with the foregoing requirements will not be deemed subject to the time constraints of paragraph 6 of this section, unless and until amended to comply. However, bureaus shall advise the requester in what respect the request is deficient.

4. Requests for records not in control of component.

 

a. The requester should be advised when the request is for a record which is not in the possession or control of the Department of the Treasury.

b. Where the record requested was created by an agency other than a component of the Department and has been classified or otherwise restrictively endorsed by the other agency, and a copy is in the possession of the Department of the Treasury, that portion of the request should be referred to the originating agency for determination in accordance with the PA. In the case of a referral to another agency under this paragraph, the requester should be notified that such portion of the request has been so referred and that the requester may expect to hear from that agency.

c. When information sought from the Department includes information furnished by other federal agencies that has not been classified or otherwise restrictively endorsed, the system manager or other appropriate official receiving the request shall consult with the appropriate agency prior to making a decision to disclose or not to disclose the record. The decision as to whether the record should be disclosed will be made by the system manager or other appropriate official maintaining the record.

 

5. Notification of determination. Notification of determinations of whether a record exists or whether to grant access to a record will be made by the officer designated in the notice.

The responsible officer will grant access to the record(s) unless:

 

 

a. The system is exempt from the notification requirement,

pursuant to subsection (j) and/or (k) of the Act;

b. The records are also exempt from disclosure under the Freedom of Information Act (FOIA);

c. The current status of an investigation necessitates the exercise of an exemption.

 

When the requested records are not available due to exemptions under the PA and FOIA, the responsible officer should consider whether the FOIA triggers additional disclosure requirements before preparing a response. (See “Withholding a Record.” Below.)

6. Timely Replies. The determination to grant or deny access should be made as quickly as possible, usually within 10 working days but not later than 30 working days after receipt of a valid request. If the response cannot be made within 30 working days, the responsible official will advise the requester in writing of the reasons for the delay (e.g., volume of records requested, scattered location of the records, need to consult other agencies, or the need to address legal issues) and the approximate date when the request will be answered.

7. Granting access. When it has been determined that the request for access will be granted and:

 

a. A copy has been requested, such copy in a form comprehensible to the requester shall be furnished promptly, together with a statement of the applicable fees for duplication; or

b. The right to inspect has been requested, the requester shall be promptly notified in writing of the determination, and when and where the requested records may be inspected. If, after making the inspection, the individual making the request desires a copy of all or a portion of the requested records, such copy in a form comprehensible to the individual shall be furnished upon payment of the applicable fees for duplication.

 

Note: First-person requests should be processed under the Act (whether PA or FOIA) which will provide the requester with the greatest amount of access. This is usually the PA, regardless of whether this Act, both Acts, or neither are cited. However, in some cases it may be found that greater access to records is available under the FOIA. When this occurs, records should be made available to the requester using the provisions of the FOIA, but the request should be recorded and reported in the Biennial Report as a request under the PA.

D. Other Disclosure Requirements

1. Before Privacy Act records can be released to another person, a properly executed written authorization must be provided by the subject of the records. The authorization must contain:

a. A description of the record which may be provided;

b. The name of the person, firm, or agency which may obtain the record;

c. A statement that the Department is authorized to release the record;

d. The subject's signature and the date; and

e. Verification of the subject's identity.

2. Access in the Presence of a Third Party. When a request has been made for access to personal records, the requester may be accompanied by a person of his/her choice. In this case, access includes not only examination of the records, but also discussion of the contents of the records in the presence of a third party.

If the requester wishes to be accompanied by a third party during access, a signed and dated statement must be furnished to the responsible official indicating this fact. This statement should also include the name of the accompanying person and a specific description of the records to which access is sought. However, neither the requester nor the representative, parent, or legal guardian are required to justify their decision to be accompanied by the third party.

 

3. Medical Records. The program office maintaining medical records may, if it deems necessary, establish special procedures for granting an individual access to his/her medical and psychological records. The program office should articulate in its internal guidance why special procedures are deemed necessary.

However, the procedures may not have as an outcome the withholding of the medical records from the requester. Medical records may be provided to a physician, but the physician cannot withhold any of the records from the requester unless, of course, the requester determines after consultation with the physician that the requester no longer wants the records. The physician's role does not alleviate the Department from its responsibility under the Act to provide all non exempt information.

E. Withholding a Record

When an individual requests access to his or her own record (a first-party request) maintained in a system of records, an agency must have both a PA exemption and a FOIA exemption in order to withhold a record.

1. Denial of a request for access to records will be made only by the responsible official and only upon a determination by that official that:

 

a. The record is subject to a published rule exempting it from disclosure. (In such cases the PA exemption must be cited.)

b. The record is also exempt from disclosure under the FOIA. (The FOIA exemption(s) must be cited.)

 

2. Requests from individuals for access to records which have been exempted from access pursuant to 5U.S.C. 552a(k) shall be processed as follows:

 

a. Requests for information classified pursuant to Executive Order12,958 require the responsible component of the Department to review the information to determine whether it continues to warrant classification under the Executive Order. Information which no longer warrants classification under these criteria shall be declassified and made available to the individual. If the information continues to warrant classification, the individual shall be advised that the information sought is classified, that it has been reviewed and continues to warrant classification, and that it has been exempted from access pursuant to 5U.S.C. 552(b)(1) and 5U.S.C. 552a(k)(1).

b. Information which has been exempted from disclosure pursuant to 5U.S.C. 552a(k)(2) shall be withheld unless the requester shows that the information has been used or is being used to deny the individual any right, privilege or benefit for which he is eligible or to which he would otherwise be entitled under Federal law. In that event, the individual shall be advised of the existence of the information. However, information that would identify a confidential source shall be extracted or summarized in a manner which protects the source to the maximum degree possible, and the summary extract shall be provided to the requesting individual. (See 31 CFR 1.26(g)(6)(ii)(B).)

c. Information compiled as part of an employee background investigation which has been exempted pursuant to 5U.S.C. 552a (k)(5) shall be made available to an individual upon request except to the extent that it identifies the confidential source. Material identifying the confidential sources shall be extracted or summarized in a manner which protects the source to the maximum degree possible and the summary or extract shall be provided to the requesting individual.

If records consist of names or initials of personnel involved in the conduct of the background investigation, the decision in Nolan v. United States Dep’t of Justice, 973 F.2d 843, should apply. The court found that names of FBI agents and other personnel were not the requester’s “record” and outside the scope of the request; therefore, the names and initials of the agents involved in the investigation could be withheld without any PA exemption being cited. This would also rule out the need for citing a FOIA exemption when withholding the same information, unless it was contained in information located outside of a PA system of records, which was only available through the FOIA.

d. Testing or examination material which has been exempted pursuant to 5U.S.C. 552a(k)(6) shall not be made available to an individual if disclosure would compromise the objectivity or fairness of the testing or examination process, but may be made available if no such compromise possibility exists.

 

E. Prohibition against the use of 5 U.S.C. 552 (b) exemptions.

An agency cannot rely upon a FOIA exemption alone to deny an individual access to any of his/her records under the PA. If a FOIA exemption covers the documents, but a PA exemption does not, the records must be released under the PA.

For records contained in a PA system of records, the interface between the Privacy Act/Freedom Of Information Act can be illustrated by the table below.

Privacy/Freedom Of Information Act Interface

When a request is also made pursuant to the FOIA, an agency is obligated to search for any records on the requester which are not in a PA system of records. For records which may have been found, as a result of the search conducted under the FOIA, only FOIA exemptions are relevant since the PA’s access provision and exemptions only apply to records maintained in a system of records.

It is not considered a denial if access is not granted because the requester has not provided sufficient identifying information or otherwise has not cooperated by furnishing a proper request, such as identifying the records or providing a proper mailing address. The requester's failure to furnish the information or to otherwise cooperate within 30 days is considered a withdrawal of the request.

G. Notice of Denial

If a request for notification and/or access is denied (whether in whole or in part), the responsible official shall furnish the requester the following information in writing:

1. The responsible official's name, position title, and business mailing address.

2. The date of the denial.

3. The reasons for the denial, including the citation of appropriate subsections of the PA and the FOIA.

4. The requester's opportunities for further administrative consideration, including the name, position title, and business mailing address of the Department official responsible for review of the decision. The requester should be advised that documents responsive to his/her request are exempt from the access provisions of the PA pursuant to 5 U.S.C. 552a(j)(2) and/or (k). Accordingly, the access rights are limited to those provided by the FOIA.

5. The right of the requester to file suit in an appropriate district court pursuant to Subsection 552a(g)(1).

In addition, the responsible official should describe in general terms the nature of the material in the record that is exempt. The description should not be so detailed as to jeopardize the content or integrity of the record.

H. Exempt Records

Some of the Department's systems of records contain information for which exemptions are authorized by subsections (j)(2), (k)(1), (k)(2), (k)(3), (k)(4), (k)(5), and (k)(6) of the Act. The records that are exempt and the justifications for the exemptions are included in the system notices. A list of exempt systems is found at 31 CFR 1.36. For a further discussion of PA exemptions, see Chapter 11.

 

 TOP


VIII. Requests for Amendment

A. In General

B. Form of the Request for Amendment

C. Contents of the Request

D. Incomplete or Unclear Requests

E. Supporting Documentation

F. Date of Receipt of Request

G. Processing Requests

H. Records not Subject to Correction under the PA

I. Informing the Requester

J. Making the Amendment

K. Preparing Responses to Requests for Amendment

L. Notifying Prior Recipients

M. Amendment Case File

 

VIII. Requests for Amendment

Summary: This chapter provides information needed to determine if a requester is the proper person making the request, what records can or cannot be amended, the administrative requirements to be met by a requester, and how to process and respond to an amendment request.

A. In General

Under the provisions of the Act, an individual has the right to request that an agency amend any record, or portion of a record if:

1. The individual is:

a. The subject; or

b. The subject's legally authorized representative; or

c. The legal guardian of an incompetent subject; or

d. The parent or legal guardian of a minor subject; and

 

2. The record or portion of a record is part of a system of records; and

3. The individual believes, and can present evidence or arguments to support the belief, that the record or portion of a record is:

a. Inaccurate. Inaccurate information is a misstatement of fact due to mistake or error, misrepresentation or perjury, pertaining to or reflecting on the individual or some other individual (in cases of third-party requests with written authorization from the record subject). Such information should be corrected and should generally be removed completely from the record.

b. Irrelevant. Irrelevant information refers to material which is not necessary to accomplish a purpose of the Department required by statute or by Executive Order. This information should generally be completely removed from the record without being replaced by a corrected statement.

c. Incomplete. Incomplete information refers to material which should be supplemented either because essential information has been omitted or because the individual wishes to have additional information inserted in the record. This situation does not call for removing or altering existing information.

 

The Department sometimes receives requests to amend records under the PA that are not properly subject to the amendment provisions of the Act. In determining whether

records are subject to amendment or correction, the responsible official should consider the following guidelines:

1. Only those records that are part of a PA system of records are subject to the amendment provisions of the Act. These systems are published in the Federal Register.

2. Records which do not contain any item of information about an individual or which are not retrieved by the name, identifying number, symbol or other particular about an individual, or which do not pertain to the person are not required to be amended under the Act.

3. Records which pertain to or are retrieved by the identity of a corporation, estate, trust, partnership, etc., are not required to be amended under the Act.

4. Records which pertain to the entrepreneurial capacity of an individual are not required to be amended under the Act since the Act was not intended to apply to a person's business affairs.

5. Systems that are exempt from the provisions of the Act under (j)(2), (k)(l), (k)(2), (k)(3), (k)(4), (k)(5), and (k)(6) are not required to be amended under the Act.

The amendment procedures are not intended to permit a challenge to a record that records an event that actually occurred or for amending the judgments of officials or others whose judgments are reflected in the records and which are about the underlying decision they reflect. Neither are they designed to permit an attack upon material that has been the subject of a judicial or quasi-judicial action. Consideration of a request for amendment would be appropriate in such instances if it can be shown that circumstances leading up to the event recorded on the document were:

1. Challenged through administrative procedures and found to be inaccurate;

2. Not constructed in full accordance with the applicable record-keeping requirements prescribed; or that the document is not exactly the same as the requester's copy. For example, the amendment provisions should not allow an individual to challenge the merits of an adverse action. However, if the form created to document this adverse action contains an error on the face of the record (e.g., the individual's name is misspelled, an improper date of birth was recorded), the amendment procedures may be used to request a correction of the record.

B. Form of the Request for Amendment

A request for amendment of a record must be in writing and signed by the individual making the request, or a duly authorized representative. The request must pertain to that individual's records, except when a parent

or legal guardian of a minor or legal guardian of a person declared incompetent, asks for an amendment on behalf of such individual.

The request must include adequate proof of identity of the requester. Consideration should be given to the adequacy of identification supplied in instances where an amendment appears to be unfavorable or contrary to the best interests of the requester. It is possible that a third party may be improperly attempting to amend the record.

The request must contain the name and address of the individual making the request. In addition, if a particular system employs social security numbers as an essential means of accessing the system, the request must include that number.

If the record is maintained in the names of two individuals, such as husband and wife, the request must contain the names, addresses, and social security numbers, if necessary for access, of each individual; and the signature and adequate identification for the requesting individual only.

C. Contents of the Request

A request for amendment of a record should include the following:

1. The name and location of the system of records;

2. The title and business address of the official designated in the "Record Access Procedures" section of the notice for that system;

3. A precise identification of the record, including a description of the record, the date, and any other identifying details;

4. The specific material to be amended or deleted, including a citation of the specific paragraph, sentence and word to be amended or deleted. The request should state why the information is not accurate, relevant, timely, or complete. Supporting evidence may be included with the request;

5. The specific material to be added, if any, and the exact place at which it is to be added. Evidence of the validity of new or additional information should be included. If the individual wishes to correct or add any information, the request must contain specific proposed language for the desired correction or addition.

D. Incomplete or Unclear Requests

When a request for amendment of a record is received and the responsible official determines that it is incomplete or unclear, the responsible official will inform the individual of this decision in writing and solicit the desired clarification or additional information or documentation. For the purpose of determining time limits, such a request shall not be considered to have been received until the additional information is received.

If the request substantially meets requirements, the responsible official may use discretion in deciding whether to accept the amendment request for processing. In addition, if an imperfect request is received and it can be determined that even if perfected the proposed amendment would not be acceptable, the requester should be so advised rather than asking that the request be perfected.

A record of the incomplete or unclear request and response will be maintained, along with any related information that reflects attempts to comply with the request. No statement of appeal rights will be provided if the response only advises the requester how to perfect the request and there has been no refusal to amend a record.

E. Supporting Documentation

An individual requesting amendment of a record has the burden of supplying information in support of the propriety and necessity of the amendment. The responsible official is not required to gather supporting evidence and will make a decision on the basis of information submitted by the individual. However, the responsible official may:

1. Seek additional information pertinent to the request in order to assure that a fair, equitable, and accurate decision is reached; and

2. Verify the evidence that the individual submits.

F. Date of Receipt of Request

A request for amendment of records pertaining to an individual shall be deemed to have been received for purposes of this subpart when the requirements of paragraphs B and C of this section have been satisfied. The receiving office or officer shall stamp or otherwise endorse the date of receipt of the request.

The responsible official will be available to discuss amendments with the requester; to offer advice on how to file amendments, appeals, and statements of disagreement; and to give information with respect to civil remedies.

G. Processing Requests

If the request is adequate to permit processing, the responsible official shall take action to obtain the record.

1. Requests shall be acknowledged no later than 10 working days from the date of receipt of the request, unless the request can be acted upon and completed within 10 days. Responses to initial requests and to requests for review of refusal to amend a record should, if possible, be issued within 30 working days of receipt of the request.

2. If no further action can be taken because the record cannot be located, does not exist, or has been destroyed, the requester will be informed and the request returned. A record shall be maintained of the attempt to locate the documents and the response, but not the content of the proposed amendment. No statement of appeal rights need be given.

3. Once the request is adequate to permit processing and pertains to a record which is subject to the amendment provisions of the Act, and the record exists and is available,

then the responsible official shall determine whether the proposed amendment should be made by considering the following:

 

a. Generally, information pertaining to an individual regarding his or her education, financial transactions, medical history, criminal history or employment history is the type of information subject to correction because it may not be accurate, relevant, timely, or complete.

b. In order to be amendable, the item must tell something about the individual. For example, records that contain information about other individuals, about actions taken by the Department in regard to the individual, or other things that in no way are descriptive or characteristic of the individual, are not subject to the amendment requirement. However, if this information reflects upon the individual, it would be subject to amendment if incorrect. For example, a statement that the Department has taken action against an individual would reflect upon the individual and should be amended if incorrect.

c. The nature of the record will determine whether the existing information shall be fully removed from the record or simply annotated to reflect the correction. Existing information which has already served as the basis for a Department action or determination should not be fully removed if it would distort an historical experience the record is intended to reflect.

d. The individual is generally the most reliable source of information about himself or herself and deference should be given to his or her statements if there is no basis for doubt. The individual may, however, be asked to supply verifying data or documentary evidence if doubt exists as to whether the correction should be made.

 

4. The following criteria may be considered by the system manager in reviewing a request for correction or amendment:

a. Sufficiency of the evidence submitted by the individual;

b. Factual accuracy of the information;

 

c. Relevance and necessity of the information in terms of purpose for which it was collected;

d. Timeliness and currency of the information in light of the purpose for which it was collected;

e. Completeness of the information in terms of the purpose for which it was collected;

f. Degree of possibility that denial of the request could unfairly result in determinations adverse to the individual;

 

g. Character of the record sought to be corrected or amended; and

 

h. Propriety and feasibility of complying with the specific means of correction or amendment requested by the individual.

 

H. Records not Subject to Correction under the PA

The following records are not subject to correction or amendment by individuals:

1. Transcripts or written statements made under oath;

2. Transcripts of Grand Jury proceedings, judicial or quasi-judicial proceedings which form the official record of those proceedings;

3. Pre-sentence reports comprising the property of the courts but maintained in agency files;

4. Records pertaining to the determination, the collection and the payment of ederal taxes;

5. Records duly exempted from correction by notice published in the Federal Register; and

6. Records compiled in reasonable anticipation of a civil action or proceeding.

I. Informing the Requester

1. If the proposed amendment has been accepted, the responsible official should inform the requester in writing and provide the requester with a courtesy copy of the corrected record, if practical. Also, any difference between the correction actually made and the correction requested should be explained.

The correction or amendment of a record requested by an individual should be denied only if a determination is made by the system manager that:

 

a. The individual has failed to establish the propriety of the correction or amendment in light of the criteria set forth above;

b. The record sought to be corrected or amended was compiled in a terminated judicial, quasi-judicial or quasi-legislative proceeding to which the individual is a party or participant;

c. The correction or amendment would violate a duly enacted statute or promulgated regulation; or

d. The individual has failed to reasonably comply with the procedural requirements of Treasury rules.

 

2. If the requested amendment is not made, the responsible official should inform the requester of the reasons for refusal and provide the name, title, and business address of the officer designated in the appendix for the bureau as the person who is to review the bureau’s refusal to amend the record.

3. A complete file of the denial should be maintained. The file should include:

 

a. A copy of the request, including evidence provided by the requester justifying the amendments;

 

b. A copy of the portion of the record involved; and

c. A copy of the response.

J. Making the Amendment

Whenever the records are amended, the records should be clearly marked, "Information deleted, corrected or added, (whichever may be the case) -- PA Request" and the date noted.

When paper records are involved, deleting the prior entry means completely erasing or otherwise rendering the information illegible. Corrections made without deleting the prior entry should consist of lining through the entry to make it apparent that it is no longer in effect without rendering it illegible. Information added to the file may consist of entries by pen and ink or by attaching additional sheets to the record.

Other-than-paper records may be corrected by whatever means are ordinarily available for correcting erroneous entries or inserting additional information, so long as results comparable to the above are obtained.

K. Preparing Responses to Requests for Amendment

Responses shall be prepared for the signature of the head of the organization or unit having immediate custody of the records or his or her delegate (generally known as the responsible official). In addition, the responsible official will direct employees normally responsible for the maintenance of such records to make any necessary corrections to these records.

L. Notifying Prior Recipients

Whenever a record is corrected at the request of an individual under the PA, the responsible official should notify in writing each person or

Agency to whom that record has previously been disclosed of the exact nature of the correction, to the extent that accounting of disclosures was maintained. (See Chapter 6 of the Handbook.)

To make this notification, it should be determined by reference to the record itself or the accounting of disclosure whether the specific portion of the record being corrected was disclosed. Only those persons or agencies who received the specific portion of the record being corrected need be notified of the correction. The recipient should be provided with a photocopy of the amended record except when deleting information, in which case a description of the correction made is sufficient.

If the corrections have been extensive and do not appear to be particularly relevant to the prior recipients' interests, or if sufficient time has passed to suggest that the recipient may not be maintaining the disclosed records any longer, a description of the nature of the corrections should be provided to the recipient in sufficient detail to permit the recipient to determine if photocopies are to be requested.

M. Amendment Case File

The purpose of the amendment case file is to document all actions from the initial request to amend through the request for a review of the denial of amendment.

1. The responsible official should establish an amendment case file for all requests for amendment which are refused or only partially granted. The file should include:

 

a. A copy of the PA request for amendment for each action; and

b. All correspondence and related material involving a particular record. The case file may also contain copies of the statements of disagreement and agency justification which will be located with the record.

 

2. Retention and disposal of the amendment case files:

 

a. Files relating to amendment requests granted by the bureau should be disposed of in accordance with the approved retention schedule for related subject’s record, or 4 years after the agency’s agreement to amend, whichever is later.

b. Files relating to amendment requests refused by the bureau should be disposed of in accordance with the approved retention schedule for related subject’s record, 4 years after final determination by the agency, or 3 years after final adjudication by the courts, whichever is later.


  TOP


IX. Review of Denials of Amendment

A. In General

B. Format of Request

C. Proper Request to Review Denial

D. Deficient Request to Review

E. Date of Recipet

F. Time Limit

G. Extension of the Time Limit

H. Agency Determinations

I. Statements of Disagreement



IX. Review of Denials of Amendment

Summary: This chapter provides a general format for processing a request to review a denial of an amendment request. It outlines the information needed from a requester, and gives the steps needed to respond to the request. It also suggests other procedural steps that may be taken to implement the Act.

A. In General

When there has been a refusal to amend a record that is subject to the amendment provisions, the requester may submit a request to review (appeal) such refusal. A request to review the denial will generally be evaluated by the head of the component or by a delegated official having jurisdiction over the system of records involved. However, the deciding official should not be the individual who made the original decision to deny. The responsible official may respond to requests for reviews which are not required, such as when the system of records is exempt

B. Format of Request

The request to review should:

1. Be in writing, signed by the person to whom the record pertains or the authorized representative; mailed within 35 days of the date the individual was notified of an adverse determination; and be addressed to the officer identified in the letter notifying the requester of the bureau’s refusal to amend the record(s).

2. Be clearly marked "Privacy Act Amendment Review." However, failure to follow this suggestion will not prevent the appeal from being processed under the proper procedures.

3. Contain the name and address of the individual making the request to review and sufficient information to verify the identity of the individual. In addition, if a particular system employs an individual's social security number as an essential means of accessing the system, the request to review must include that number. If the record is maintained in the name of two individuals, such as husband and wife, the request to review must include the names, addresses, and social security numbers of both individuals.

4. Reasonably describe the record in question, the name and location of the system of records in which the record is maintained, and the title and business address of the designated official for the system of records.

5. Include a copy of the initial request, if available, or the date of the initial request for amendment of the record and the date of the letter notifying the individual of the initial adverse determination.

6. Clearly state the specific change the individual wishes to make in the record. The request to review must also contain a concise explanation of the reasons for the change. A copy of the initial request attached to the request to review will satisfy this requirement. If the individual wishes to correct or add any additional information, the request to review must contain specific proposed language to make the desired correction or addition.

C. Proper Request to Review Denial

If the request to review satisfies the requirements of paragraph B above, the responsible official who prepared the original refusal will forward the file on the case and any other required materials to the appellate official.

D. Deficient Request to Review

If the request to review is deficient, the requester will be provided with an appropriate explanation. A record will be maintained of the request to review, the response, and any related information that reflects attempts to comply with the request to review.

E. Date of Receipt

Requests to review shall be promptly stamped with the date of their receipt by the officer designated in the appendix for the bureau as the person who is to review the bureau’s refusal to amend the record, and such stamped date will be deemed to be the date of receipt for all purposes of this subpart.

F. Time Limit

Within 10 working days after receipt of a request to review a denial of a request for amendment of a record, the appellate official will:

1. Acknowledge, in writing, receipt of the request to review;

2. Provide a decision on the request to review (if possible); or

3. Inform the individual of the expected date (within 30 working days) by which a decision will be reached.

G. Extension of the Time Limit

Only for a good cause, and at the discretion of the review official, can the 30 working-day time limit be extended. Generally, such an extension shall be for no more than an additional 30 working days. For purposes of this part, a good cause requiring an extension would include a situation where a component may need to take an action in order to effect an amendment of a record or other similar action; for example, preparation of a new SF-50.

An extension of the 30 working days time limit will require written notification to the individual explaining the reason for the extension and furnishing a new expected date for the decision.

H. Agency Determinations

1. Decision to grant request to review. If the determination is to amend the record, the appellate official will:

 

a. Notify the requester, in writing, of the decision;

b. Notify the requester of all actions taken to effect the amendment;

c. Provide the requester with a copy of the amended record, if possible;

d. Provide the requester with a copy of the record as it existed before the amendment; and

e. Inform the requester of all actions taken to notify prior recipients of the record of the amendment.

 

2. Decision to grant partial amendment. When it is determined that the previous decision to deny the requested amendment of a record should be partially overturned and that part of the requested amendment should be granted, the appellate official shall:

a. Notify the requester, in writing, of that decision;

 

b. Notify the requester of all actions taken to effect the partial amendment of the record;

c. Provide the requester with a copy of the partially amended record, if possible;

d. Provide the requester with a copy of the record as it existed before the partial amendment, if possible;

e. Inform the requester of all actions taken to notify prior recipients of the record of the partial amendment;

f. Provide the specific legal or regulatory basis for the partial denial decision;

g. Provide the appellate official's name, position title and business mailing address;

h. Provide an explanation of the requester's right to file a concise statement of disagreement;

i. Provide an explanation of the Department's right, where appropriate, to attach the decision notice or a summary statement to the concise statement of disagreement; and

j. Provide an explanation of the procedure whereby the requester may seek judicial review of the appellate official's decision.

 

3. Decision to deny a request to review. When it is determined that the initial decision should be upheld and that the requested amendment of the record should be

denied, the appellate official shall notify the individual of the decision in writing. The notification shall contain:

a. The specific legal or regulatory basis for the decision;

 

b. The appellate official's name, position title, and business address;

 

c. An explanation of the requester's right to file a concise statement of disagreement;

d. An explanation of the Department's right, where appropriate, to attach the decision notice or summary statement to the concise statement of disagreement; and

e. An explanation of the procedure whereby the requester may seek judicial review of the appellate official's decision. The following paragraph can be used as a sample:

“An action for judicial review may be brought under the Privacy Act in the district court of the United States in the district in which you reside or have your principal place of business, or in which the agency records are situated, or in the District of Columbia, within two years from the date of refusal to amend the record(s).”

 

4. When the bureau’s appellate official has denied the request for amendment in part in in whole, a copy of the initial request for amendment, the bureau’s response, the appeal letter from the requester and the bureau’s final determination will be forwarded to the DASPTR for review by the SAOP.

I. Statements of Disagreement

The PA permits an individual to file a concise "Statement of Disagreement" when an agency has decided not to make the requested amendment to the individual’s record.

When a disclosure of the disputed record is made, the system manager shall clearly note any portion of the record which is disputed and provide copies of the "Statement of Disagreement" submitted by the individual.

The system manager may also provide, if deemed appropriate, a concise statement of the reasons for not making the amendments requested to persons or other agencies to whom the disputed records have been disclosed.

 

 

 TOP


X. Disclosure of Records

A. In General

B. Accounting of Disclosures

C. Disclosure Authorized Without Prior Written Concent

D. Disclosure of Data From a Deceased Subject’s Records



X. Disclosure of Records

Summary: This chapter gives guidance on providing a Privacy Act record to an individual or entity outside the Department, and when disclosures can be made without the consent of the subject of the record.

A. In General

The Act prohibits the Department from disclosing a record which is part of a system of records without obtaining the prior written consent of the subject, unless the records are otherwise authorized to be disclosed by subsection (b) of the Act.

The term “disclosure” in this chapter does not include providing information to the subject of the record when the subject has made a request for his or her records. The processing of a first party request is discussed in Chapter 7.

B. Accounting of Disclosures

An accounting of all disclosures made from a PA system of records is required except: (1) When the disclosure is made to “those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.” This “need to know” exception authorizes the intra-agency disclosure of a record for necessary, official purposes. (2) When the disclosure is required by the FOIA.

The procedures for establishing and maintaining an accounting of disclosures are contained in Chapter 6.

C. Disclosure Authorized Without Prior Written Consent

The Act permits the Department to disclose information from a record which is part of a system of records without obtaining the prior written consent of the subject under certain conditions as described below:

1. Disclosure within the Department. The Department is authorized to disclose a record which is part of a system of records to an individual who is an officer or employee of the Department maintaining the record and has a need for the records in order to perform his/her official duties.

2. Disclosure under the provisions of the Freedom of Information Act. The Department is authorized to disclose a record which is part of a system of records without obtaining the prior written consent of the subject when the disclosure is required under the provisions of the FOIA.

3. Routine Use. The Department may disclose a record which is part of a system of records when this disclosure is permitted by a routine use that has been published by the Department in the Federal Register. The information cannot be released for use for a purpose other than one that is compatible with the purpose for which it was collected, and an accounting must be maintained by the unit for any disclosure outside the Department. "Compatibility" requires that the link between the purpose for collecting the information and the reason for disclosing it be more than just mere "relevance." Rather, there must be some meaningful degree of convergence between the collection of the information and its disclosure.

 

4. Census Bureau. The Department may disclose a record which is part of a system of records to the Bureau of the Census for the purpose of planning or conducting a census, survey, or related activity authorized by Title 13, United States Code.

5. Statistical Research. The Department may disclose a record which is part of a system of records to a recipient who has provided advanced adequate written assurance that the record will be used solely as a statistical research or reporting record. However, such a record must be transferred in a form that is not individually identifiable, without the individual's name or individual identifying number. The responsibility for ensuring that disclosed information cannot be identified with any individual rests with the official or employee disclosing the data.

For purposes of meeting the requirement stated above, adequate assurance includes:

 

a. A statement of the purpose for requesting the record; and

b. Certification that the record in question will be used only for statistical purposes.

 

6. National Archives. The Department may disclose a record which is part of a system of records to the National Archives and Records Administration (NARA) as a record which has sufficient historical or other value to warrant its evaluation by the Archivist of the United States or his designee to determine whether the record has sufficient value that it should be preserved.

7. Civil or Criminal Law Enforcement Activity. The Department may disclose a record which is part of a system of records to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for the purpose of a civil or criminal law enforcement activity if:

a. The activity is authorized by law; and

b. The head or a delegated official of the agency or instrumentality has:

(1) Made a written request to the agency which maintains the record;

(2) Specified the particular record or portion of a record which is desired; and

(3) Specified the law enforcement activity for which the record is sought.

8. Health or Safety. The Department may disclose a record which is part of a system of records to a person when the requester shows "compelling circumstances" affecting the health or safety of an individual (not necessarily limited to the subject). A senior management official must concur with the release of such information before release.

Upon disclosure under the health and safety exception, the subject must be notified in writing within 5 days of the disclosure. This requirement is met when reasonable effort is made to locate the individual and mail the notification to the last known employment or home address. Notification shall include the following information: the nature of the information disclosed, the person or agency to whom it was disclosed, the date of disclosure, and the compelling circumstances justifying the disclosure. Notification shall be given by the officer who made or authorized the disclosure.

9. Congress. The Department may disclose a record which is part of a system of records to:

a. Either House of Congress; or

b. To the extent of matter within its jurisdiction, any committee or subcommittee (joint or of either House) of the Congress.

If the request is a duly authorized request on behalf of Congress through a legislative committee or subcommittee pertaining to a subject within the jurisdiction of the committee or subcommittee, then the request would fall within this condition of disclosure. Any system manager receiving a request from the chair of a committee or subcommittee should contact the bureau’s legal counsel prior to processing the request.

This does not include disclosure to an individual member of Congress on behalf of a constituent, which is permissible under condition of disclosure (b)(3).

10. Comptroller General. The Department may disclose a record which is part of a system of records to the Comptroller General of the United States or to his or her authorized representative when such record is requested in the course of the performance of the duties of the General Accounting Office.

11. Court of Competent Jurisdiction. The Department may disclose a record which is part of a system of records pursuant to the order of a court of competent jurisdiction.

Note, however, courts have found that a subpoena signed by the clerk or an Assistant U.S. Attorney is not an order of a court; therefore, a disclosure pursuant to a subpoena is not appropriate under subsection (b)(11) unless the order is signed by the judge of the court.

a. For the purposes discussed in this section, a court of competent jurisdiction includes:

(1) A United States Federal Court;

(2) A quasi-judicial agency (e.g., the United States Merit Systems Protection Board); or

(3) The judicial system of a State, territory, or possession of the United States.

It should be noted that OMB has informally advised that agencies may disclose

PA - protected records pursuant to a state court order under subsection (b)(11), even though that court lacks personal jurisdiction over the agency. Agencies should, however, be aware that compliance with such an order might be taken by a court as acquiescence to the court’s jurisdiction, notwithstanding applicable principles of sovereign immunity.

b. Consultation with Legal Counsel. Before complying, or refusing to comply, with an order of a court of competent jurisdiction, the responsible official will consult with legal counsel to ensure that the proposed response is appropriate.

c. Notification of the Subject. Notice shall be provided within five working days of making the records available under compulsory legal process. As soon as practicable after being served with an order of the court, the responsible official will mail a notice to the subject informing him/her that the disclosure has taken place, specifying the name and number of the case or proceeding and nature of the information sought, except in response to an ex parte order. In the case of a Grand Jury subpoena or an ex parte order, notice must be provided within five days of its becoming a matter of public record.

Such notice shall be mailed to the subject's last known place of employment or home address. One copy of the notice should be maintained in the disclosure file and one copy associated with the record disclosed, if practical. The notice will contain the following information:

(1) Date and authority to which the court order is or was returnable;

(2) Date of and court issuing the ex parte order;

(3) Nature of the information sought and provided; and

(4) Name and number of the case or proceeding.

 

If the disclosure is made in response to a court order from a court of competent jurisdiction or an ex parte order under 26 U.S.C. 6103 (i)(1), the notice should not be given until the order becomes a matter of public record. If the order does not indicate whether it is a matter of public record, it may be necessary to request the issuing authority to advise the Department or component when the matter becomes public so the required notice may be issued.

The notice of the issuance of a court order is not required if the system of records has been exempted from the notice requirement (5 U.S.C. 552a(e)(8)) of the Act, pursuant to 5 U.S.C. 552a(j).

12. Consumer Reporting Agency in Accordance with 31 U.S.C. 3711(f).

This disclosure exception was added to the original 11 by the Debt Collection Act of 1982. It authorizes agencies to disclose bad-debt information to credit bureaus. Before doing so, however, agencies must complete a series of due process steps designed to validate the debt and to offer the individual the chance to repay it. (See 48 Fed. Reg. 15556 (1983), OMB Guidelines on Debt Collection Act.)

D. Disclosure of Data From a Deceased Subject’s Records

Whenever a specific request is made for a record which is part of a system of records and such records pertain to a deceased subject, the information required shall be disclosed unless:

1. It contains data pertaining to someone other than the subject;

2. The disclosure of the record would be considered to be an unwarranted invasion of a living person's privacy; or

3. The withholding of the record can otherwise be legally supported.

 

 
 

 

 TOP 

 


XI. Exemptions from the Privacy Act

A. In General

B. 5 U.S.C. 522a(d)(5)

C. General Exemptions

D. Specific Exemptions

E. Rulemaking Requirement



XI. Exemptions from the Privacy Act

Summary: This chapter provides information about the exemptions found in the Privacy Act. It discusses the provisions from which exemptions can be claimed, as well as the procedural requirements found in the Act and how they are impacted by the Administrative Procedure Act.

A. In General

The PA allows the head of the agency to promulgate rules to exempt any system of records from the requirement that individuals be permitted access to records pertaining to themselves, as well as exemptions from other requirements. However, no system of records is automatically exempt from any provision of the Act except for the provision found at (d)(5).

B. 5 U.S.C. 522a(d)(5)

The first exemption, 5 U.S.C. 552a(d)(5), is frequently overlooked as it is not located with the other exemptions found in subsections (j) and (k). This exemption is special in that it provides an exemption only from the access provision.

Subsection (d)(5) states that nothing in the Act shall require an agency to grant access to any information compiled in reasonable anticipation of a civil action or proceeding. The exemption covers documents prepared in anticipation of quasi-judicial administrative hearings and was also intended to cover preliminary judicial steps.

Unlike the attorney work-product privilege under the FOIA found at 5 U.S.C. 552(b)(5), subsection (d)(5) of the PA does not cover records compiled in anticipation of criminal actions. Records of this type may be protected under exemption (j)(2) of the PA.

A distinguishing feature between this exemption and all the other PA exemptions is that subsection (d)(5) is "self-executing" since it does not require an implementing regulation in order to be effective.

C. General Exemptions

5 U.S.C. 552a(j) provides for two general exemptions to the PA.

1. Under subsection (j) an agency may exempt an entire system of records from certain provisions of the Act if the system of records is:

a. Maintained by the Central Intelligence Agency; or

b. Maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including

police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of:

(1) Information compiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status;

(2) Information compiled for the purpose of criminal investigation, including reports of informants and investigators and associated with an individual; or

(3) Reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws, from arrest or indictment through release from supervision.

 

2. Provisions exempted under subsection (j). The head of an agency may exempt a system from certain provisions of the Act but is prohibited from exempting the system of records from the following subsections of the Act:

(b). This subsection sets forth the conditions of disclosure that are allowed without the consent of the individual to whom the record pertains.

(c)(1) and (2). These two subsections require accounting for certain disclosures for either 5 years or the life of the record, whichever is longer.

 

(e)(4)(A) through (F). These subsections require the publication of certain information in a system of records notice in the Federal Register.

(e)(6), (e)(7), (e)(9), (e)(10), and (e)(11). These subsections require that records disclosed are accurate, complete, timely and relevant for an agency's purpose; that no record is maintained regarding an individual's exercise of his/her First Amendment rights (except under certain criteria); that rules of conduct are established for the agency employees involved in the design, development, operation or maintenance of a system of records; that appropriate safeguards for a system of records are established; and that new or altered systems of records be published in the Federal Register.

(i). This subsection concerns the criminal penalties imposed for violation of the Act by agency employees.

 

D. Specific Exemptions

5 U.S.C. 552a(k) provides seven specific exemptions which may be used by an agency when the head of the agency has promulgated rules exempting the system of records from certain provisions of the Act. Unlike the exemptions found in subsection (j), these exemptions can only be applied to specific records maintained within a system of records.

1. Under subsection (k), any system of records may be exempted from certain provisions of the Act if the system of records is:

 

a. (k)(1) "subject to the provisions of section 552(b)(1) of this title." This exemption incorporates exemption l of the FOIA, requiring that the records (A) be specifically authorized under criteria established by an Executive Order to be kept secret in the interest of national defense or foreign policy, and (B) the records are in fact properly classified pursuant to such Executive Order.

b. (k)(2) "investigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of this section: Provided, however, that if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence or, prior to the effective date of this section [9/27/75], under an implied promise that the identity of the source would be held in confidence." This exemption applies to civil investigations as well as criminal investigations.

 

Note: The term "investigatory material" closely follows the meaning given this phrase in exemption (b)(7) of the FOIA. Therefore, the case law which interpreted "investigatory" and "law enforcement purposes" for exemption (b)(7) of FOIA should be utilized in defining those terms as they appear in subsection (k)(2) of the Act.

c. (k)(3) "maintained in connection with providing protection services to the President of the United States or other individuals pursuant to section 3056 of Title 18." This exemption is to cover those records which are not clearly within the scope of law enforcement records covered under subsection (k)(2) but which are necessary to assure the safety of individuals protected pursuant to 18 U.S.C. 3056.

d. (k)(4) "required by statute to be maintained and used solely as statistical records." The language of the statute suggests that the system of records which qualifies to be exempted under this provision is a system composed exclusively of records that by statute are prohibited from being used for any purposes involving the making of a determination pertaining to any right, benefit, eligibility, or entitlement of the individual to whom they pertain; not merely that the agency does not engage in such activities.

e. (k)(5) "investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9/27/75], under an implied promise that the identity of the source would be held in confidence." The exemption is generally applicable to source-identifying material in background employment and personnel-type investigative files.

This exemption was included in the Act to take into account the fact that the screening of personnel to assure that only those who are properly qualified and trustworthy are placed in governmental positions will, from time to time, require information to be collected under a pledge of confidentiality.

 

f. (k)(6) "testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process."

This provision is to permit the agency to exempt testing or examination material used to assess the qualification of an individual for appointment or promotion in the military or civilian service only if disclosure of the record would reveal information about the testing process, giving an individual unfair competitive advantage.

 

g. (k)(7) "evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9/27/75], under an implied promise that the identity of the source would be held in confidence."

 

2. Provisions exempted under subsection (k). The head of an agency may exempt a system of records from the following subsections of the Act:

 

(c)(3). This subsection requires an agency to make an accounting of disclosures available to an individual of his/her records, except those disclosures made under (b)(7) of the PA.

(d). This subsection gives any individual a right of access to all records pertaining to him/her.

(e)(1). This subsection requires an agency to maintain only information relevant and necessary to accomplish a purpose of the agency.

(e)(4)(G). This subsection requires an agency to publish a notice in the Federal Register setting forth agency procedures whereby an individual can be notified at his/her request if a system of records contains a record pertaining to the individual.

 

(e)(4)(H). This subsection requires an agency to publish a notice in the Federal Register setting forth agency procedures that are to be used by an individual to gain access to the records pertaining to the individual and to contest the content of the records.

 

(e)(4)(I). This subsection requires an agency to publish a notice in the Federal Register giving the categories of sources of records in the system.

 

(f). This subsection requires an agency to establish access and amendment procedures to be used by an individual pertaining to PA records.

 

 

It should also be noted that the Act (subsection (g)(3)(A)) grants courts the authority to review requested records in camera when a subsection (k) exemption is used to deny access. Further, when processing a request under this Act, several courts have held that reasonable segregation of the records is required whenever a subsection (k) exemption is invoked.

E. Rulemaking Requirement

To obtain an exemption for a system of records from any requirement of the Act, the head of the agency that maintains the system must make a determination that the system falls within one of the categories of systems which are permitted to be exempted.

OMB Circular A-108 states that the term “agency” is not intended to be applied to subdivisions, offices or units within an agency. For that reason, the exemptions that are published at 31 CFR 1.36 are published under the authority of the Secretary of the Treasury or his/her delegate.

The determination is published as a rule in accordance with the requirements of section 553 of the Administrative Procedure Act. One court has found that agencies need to give the public a meaningful opportunity to comment on a proposed exemption of a system of records. If an agency fails to provide the public with a chance to comment on a proposed exemption, the agency would not be in compliance with the comment provision of the Administrative Procedures Act (APA). Agencies may not withhold records pursuant to 5 U.S.C. 552a(j) or (k) until the final rule has been declared effective.

Whenever a notice of a system of records is proposed for a system which is intended to be exempt from provisions of the PA, a proposed rulemaking is required to revise the listing of exempt systems, found at 31 CFR 1.36, "Notice of proposed rule exempting a system of records from requirements of the Privacy Act."

At the time that rules exempting the system of records from certain sections of the PA are adopted, the rule shall include the reasons why the system of records is to be exempted from a provision of 5U.S.C. 552a.

Notices of proposed rules of exempt systems must be accompanied by a report to OMB and Congress identifying the subsections of the Act which are being exempted and describing the nature, effect, and reasons for the proposed exemption in greater detail than the notice of system of records itself.

After the proposed and final rulemaking document has the concurrence of the Director, Privacy and Civil Liberties and is signed by the Deputy Assistant Secretary for Privacy, Transparency, and Records the proposed and final documents are submitted to the Executive Secretary for approval in accordance with Treasury Directive 28-01. The rulemaking documents are then sent to the Federal Register for publication.

On November 24, 2000, the Department published revised regulations exempting its systems of records from provisions of the Privacy Act (65 FR 69865). A copy of the regulations can be found at: http://www.treasury.gov/privacy/issuances/Pages/handbook.aspx.

Please contact the Office of Privacy, Transparency, and Records on 202/622-0755 for assistance in drafting a notice of proposed rulemaking.

 

 
 

 

 TOP

 


XII. Review and Reporting Requirements

A. Reviews

B. Reporting Requirements

C. Biennial Report

 

 

XII. Review and Reporting Requirements

Summary: This chapter explains the reporting and review requirements found in the Act, OMB guidance and Treasury regulations.

A. Reviews

 

Bureaus are to conduct the following reviews and are to be prepared to report the results of such reviews and the corrective action taken to resolve problems uncovered by the reviews to the Office of Management and Budget through the Departmental Disclosure Office:

 

1. Review every two years a random sample of agency contracts that provide for the maintenance of a system of records on behalf of the component to accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act binding on the contractor and his or her employees.

 

2. Review biennially agency recordkeeping and disposal policies and practices in order to assure compliance with the Act, paying particular attention to the maintenance of automated systems.

 

3. Review every four years the routine use disclosures associated with each system of records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for which the disclosing component originally collected the information.

 

4. Review every four years each system of records for which the component has issued exemption rules pursuant to subsection (j) or (k) of the PA in order to determine whether such exemption is still needed.

 

5. Review annually each ongoing matching program in which the component has participated during the year, either as a source or as a matching agency, in order to ensure that the requirements of the Act, as well as OMB's "Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988," dated June 19, 1989, have been met.

 

6. Review biennially agency training practices in order to ensure that all Department personnel are familiar with the requirements of the Act, the Department's implementing regulations, and any special requirements that their specific jobs entail.

 

7. Review biennially the actions of component personnel that have resulted either in the agency being found civilly liable under subsection (g) of the Act, or an employee being found criminally liable under the provisions of subsection (i) of the Act, in order to determine the extent of the problem and to find the most effective way to prevent recurrences of the problem.

8. Review biennially each system of records notice to ensure that it accurately describes the system. Where minor changes are needed, ensure that an amended notice is published in the Federal Register. All system managers are responsible for establishing an ongoing review procedures.

 

As part of the review, Treasury should also assess whether it is in compliance with the requirement that agencies maintain no record describing how an individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the records are kept, or unless pertinent to and within the scope of an authorized law enforcement activity. Records should contain only such information about an individual as is relevant and necessary to accomplish a purpose that may be required by statute.

B. Reporting Requirements

On February 11, 2005, OMB issued M-05-08 which noted that as is required by the Privacy Act, the Federal Information Security Management Act (FISMA), and other laws agencies have the authority to conduct periodic reviews (e.g., as part of their annual FISMA reviews) to promptly identify deficiencies, weaknesses, or risks. When compliance issues are identified, agencies are obligated to take appropriate steps to remedy them.

C. Biennial Report

The Department of the Treasury no longer collects information concerning its Privacy Act activities for its biennial report to OMB. Section 3003 of the Federal Reports Elimination and Sunset Act of 1995 repealed (effective May 15, 2000) the requirement in Section 552a(s) for OMB to submit a biennial Privacy Act report to Congress.

 

 TOP


XIII. Contractors, Training, Rules of Conduct and Penalties for Non-compliance

A. Contractor Personnel Subject to the Act

B. Training

C. Rules of Conduct

D. Penalties for Non-compliance



XIII. Contractors, Training, Rules of Conduct and Penalties for Non-compliance

Summary: This chapter discusses requirements of the Act as they affect the relationship between Treasury and its contractors; the requirement for training; the rules of conduct required by Treasury regulations; and penalties provided by the Act.

A. Contractor Personnel Subject to the Act

Government contractors and their employees who contract for the operation of a system of records to accomplish a Departmental function are governed by the provisions of the PA. All contracts should contain the standard contract requirements found at 48 CFR Ch.1, Part 24.1, to ensure compliance with the PA.

A contractor and employees are considered employees of the Department of the Treasury for the purposes of 5U.S.C. 552a(i). However, for the purpose of disclosing PA records to government contractors, courts have held that a contractor’s employees are not government employees. This then prevents a disclosure of agency records to a government contractor pursuant to 5 U.S.C. 552a(b)(1). In order for an agency to disclose PA records to a contractor, the agency must establish a “routine use” in the subject system of records, allowing the disclosure to the contractor.

 

The system manager is responsible for ensuring that the contractor complies with the contract requirements relating to privacy. Training and necessary clearances will precede the engagement of government contractors. Strict care will be used to ensure that they are given only the minimum access to data which is necessary, and that they have no opportunity to access data beyond that which is intended that they access.

B. Training

Each bureau shall institute a training program to instruct their employees, and employees of Government contractors covered by 5U.S.C. 552a(m), who are involved in the design, development, operation or maintenance of any system of records, on a continuing basis with respect to the duties and responsibilities imposed on them and the rights conferred on individuals by the PA and Treasury Department regulations (31 CFR Part 1, Subpart C), including appendices A - M. The training shall provide suitable emphasis on the civil and criminal penalties imposed on the Department and individual employees for non-compliance with specified requirements of the PA.

C. Rules of Conduct

Rules of conduct published at 31CFR0.216 require employees involved in the design, development, operation, or maintenance of any system of records or in the maintaining of records subject to the PA to comply with the conduct regulations delineated in the disclosure regulations at 31 CFR 1.28(b).

D. Penalties for Non-compliance

Any officer or employee of the Department of the Treasury shall be guilty of a misdemeanor and fined not more than $5,000 for willfully:

1. Disclosing information, which is known to be prohibited by the PA, to any person or agency not entitled to receive it; and

2. Maintaining a system of records without meeting the notice requirements of the Act.

 

 TOP


XIV. Judicial Review

A. In General

B. Conditions for Requesting Judicial Review

C. Judicial Remedies

D. Misrepresentation

E. Courts Having Jurisdiction

F. Time Limits

XIV. Judicial Review

Summary: This chapter provides an overview of the judicial remedies which are available to requesters under the Act and how a requester may gain access to the courts.

A. In General

The right to ask for judicial review which is granted by the Act is not intended to permit a requester to use the Act as an alternative forum in which to collaterally attack information or records which have already been the subject of an administrative, quasi-judicial, or judicial action (e.g., a grievance, adverse action), or for which adequate judicial or administrative review is otherwise available.

B. Conditions for Requesting Judicial Review

1. Denial of Access to Records. A requester may challenge a Department decision to deny access to records to which the requester considers himself/herself entitled to under the Act. This would include:

a. A challenge to the Department's determination to exempt a system of records from the requirement of the Act that the individual be granted access;

b. A challenge to the Department's refusal to grant access as a result of its interpretation of the definitions in the Act as they apply to information maintained by the Department. For example, an agency decision that a given record is not a part of a system of records as defined by the Act, and is therefore not subject to the provisions of the Act; or

c. A challenge to the Department's denial of access to records compiled in reasonable anticipation of a civil action or proceeding.

2. Refusal to Amend a Record. A requester may seek judicial review of the Department's determination not to amend a record when either of the following two conditions apply:

a. The requester has exhausted the administrative procedures established by the Department and the reviewing official has refused to amend the record; or

b. The requester contends that the Department has not considered the request to review the initial decision in a timely manner, or otherwise has not acted in a manner consistent with the requirements of the Act.

3. Failure to Maintain a Record Accurately. A requester may bring a civil action if he/she can show that:

a. The Department failed to maintain a record with such accuracy, relevance, timeliness, and completeness as is required by the Act; and

b. The deficiency in the record resulted in an adverse determination by the Department based on the contents of the record (i.e., a determination resulting in the individual's loss of a right, benefit, or entitlement), and the individual could reasonably have expected to avoid the adverse determination but for the deficiency in the record.

4. Other Failures. A requester may bring a civil action against the Department for any alleged failure to comply with the requirements of the Act or failure to comply with any rule published by the Department to implement the Act. However, the individual must demonstrate that:

a. The action was intentional and willful; and

b. The action had an adverse effect on the individual; and

c. The adverse effect was causally related to the Department's actions.

C. Judicial Remedies

1. When, as a result of a de novo hearing, the court determines that an individual was improperly denied access to a record, the court may provide the following remedies:

a. Enjoin the Department from withholding the record; and

b. Order the Department to provide the records which were previously withheld to the complainant; and

c. Assess against the United States reasonable attorney fees and other litigation costs reasonably incurred by the complainant when the complainant has substantially prevailed in the case.

2. In a suit brought as a result of the Department's refusal to amend a record, when the court finds for the complainant, the court may provide the following remedies:

a. Order the Department or component in physical possession of the record to amend the record in accordance with the request, or in such a way as the court may direct; and

b. Assess against the government reasonable attorney fees and other litigation costs reasonably incurred by the complainant, in any case in which the complainant has substantially prevailed.

 

3. Remedies for Failure to Maintain an Accurate Record and Other Failures. In a suit brought against the Department for failure to maintain an accurate, complete, relevant, and timely record or for failure to observe a rule issued to implement the Act, if the court determines that the Department acted in a manner that was intentional or willful, the Government may be assessed for an amount equal to:

a. The actual damages sustained by the individual as a result of the Department's failure, but in no case less than $1,000; and

b. The cost of the action, together with reasonable attorney fees, as determined by the court.

D. Misrepresentation

A civil action may be brought at any time within two years after the date the requester discovers a misrepresentation in those cases where the Department has:

1. Materially and willfully misrepresented any information required to be disclosed to the requester; and

2. The information that was misrepresented is relevant to establishing liability of the Department to the requester under the Act.

E. Courts Having Jurisdiction

The Act provides that the requester may bring an action to enforce any liability created under the Act in the District Court of the United States in the judicial district in which the requester resides; in which the requester has his/her principal place of business; in which the Department records are situated; or in the District of Columbia.

F. Time Limits

The time limit during which a civil action may be brought under the Act is generally limited to a period of two years from the date the cause of the action occurred (e.g., refusal to grant access, refusal to amend).

 

 TOP


XV. Computer Matching

A. In General

B. Matching Program Requirements

C. Exclusions From the Definition of a Matching Program

D. Matching Notice and Publication Requirements

E. Report to OMB and Congress

F. Preparing and Executing Matching Agreements

G. Providing Due Process to Matching Subjects

H. Data Integrity Board

I. Definitions

 

XV. Computer Matching

Summary: This chapter provides information on the provisions of the Act relating to computer matching activities. It briefly describes how the Department implements requirements of the Act as they pertain to matching agreements, matching notices and the Data Integrity Board.

A. In General

Congress made major changes to the Privacy Act of 1974 when it enacted the "Computer Matching and Privacy Protection Act of 1988" on October 18, 1988 (Public Law 100-503). The provisions of the Act became effective nine months after enactment and made no provisions which would allow the existing computer matches to be "grandfathered" after the effective date of the legislation.

B. Matching Program Requirements

1. The Computer Matching and Privacy Protection Act (CMPPA) covers two kinds of matching programs:

a. Matches involving Federal benefits programs; and

b. Matches using records from Federal personnel or payroll systems of records.

A Federal benefits matching program is defined as any computerized comparison of two or more automated systems of records or a system of records with non Federal records for the purpose of (I) establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in kind assistance or payments under Federal benefit programs; or (II) recouping payments or delinquent debts under such Federal benefit programs.

A second type of matching program involves a computerized comparison of two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non Federal records.

2. Computerized Comparison of Data. The record comparison must be a computerized comparison involving records from:

 

a. Two or more automated systems of records (i.e., systems of records maintained by Federal agencies that are subject to the PA); or

b. A Federal agency's automated system of records and automated records maintained by a non-Federal (i.e., State or local) government agency or agent thereof. To be covered, matches of these records must be computerized.

 

3. Categories of Subjects Covered. The provisions of the CMPPA cover only the following categories of record subjects:

 

a. Applicants for Federal benefits programs (i.e., individuals initially applying for benefits);

b. Program beneficiaries (i.e., individual program participants who are currently receiving or formerly received benefits);

c. Providers of services to support such programs (i.e., those who are not the primary beneficiaries, but who do receive income from the Federal programs -- health care providers, for example).

 

4. Types of Programs Covered. Only Federal benefit programs (including programs administered by States on behalf of the Federal government) providing cash or in-kind assistance to individuals are covered. State programs are not covered. Programs using records about subjects who are not individuals as defined by 5 U.S.C. 552a(a)(2) of the PA are not covered.

5. Matching Purpose. The purpose of a match must be one or more of the following:

 

a. Establishing or verifying initial or continuing eligibility for Federal benefits programs; or

b. Verifying compliance with the requirements (statutory or regulatory) of such programs; or

c. Recouping payments or delinquent debts under such Federal benefits programs.

 

It should be noted that all of the four elements (computerized comparison, categories of subjects, Federal benefit program, and matching purpose) must be present before a matching program is covered under the provisions of the CMPPA.

6. Federal Personnel or Payroll Records Matches. The CMPPA also includes matches comparing records from automated Federal personnel or payroll systems of records, or such records and automated records of State and local governments. Again, it should be noted that the comparison must be done by using a computer. Manual

comparisons are not covered. In some instances, a covered match may take place within a single agency. For example, an agency may wish to determine whether any of its own personnel are participating in a benefit program administered by the agency, and are not in

compliance with the program's eligibility requirements. This internal match will certainly result in an adverse action if ineligibility is discovered. Therefore, it is covered by the requirements of the CMPPA.

C. Exclusions From the Definition of a Matching Program

The CMPPA provides for eight exclusions to the Act and agencies operating such programs are not required to comply with the provisions of the CMPPA; however, any applicable provision of the PA must be complied with. The exclusions are:

1. Statistical matches whose purpose is solely to produce aggregate data stripped of personal identifiers. Implicitly, this match is not done to take action against specific individ¬uals, although statistical inferences drawn from the data may have consequences for the subjects of the match as members of a class or group. The results of the match must not contain individually identifiable data.

2. Statistical matches whose purpose is in support of any research or statistical project. The results of this type match do not need to be stripped of individual identifiers, but the results cannot be used to make decisions that affect the rights, benefits or privileges of specific individuals. The data developed from these matching programs may be used to make decisions about a benefit program in general that may ultimately affect the beneficiaries.

3. Pilot matches. This is a small-scale match whose purpose is to gather benefit/cost data on which to premise a decision about engaging in a full-scale matching program. The pilot matches must be approved by the Data Integrity Board (DIB).

4. Law enforcement investigative matches whose purpose is to gather evidence against a named person or persons in an existing investigation. This exclusion is available to an agency or a component whose principal statutory function involves the enforce¬ment of criminal laws and is eligible to exempt certain of its PA systems of records under subsection (j)(2) of the PA. The match must be used for the purpose of gathering evidence against a specific person or persons. The use of a match for a "fishing expedition" is not eligible for this exclusion.

5. Tax administration matches. This exclusion covers four categorical exclusions for matches using tax information, such as tax returns and tax return information. These matches are:

 

a. Matches done pursuant to Section 6103(d) of the Internal Revenue Code involving disclosures of taxpayer information to state tax officials;

b. Matches done for the purposes of tax administration as defined in Section 6103(b)(4) of the Internal Revenue Code. The term "tax administration" means the administration, management, conduct, direction, and supervision of the execution and application of the internal revenue laws or related statutes (or equivalent laws and statutes of a state) and tax conventions to which the United States is a part; and the development and formulation of Federal tax policy relating to existing or proposed internal revenue laws, related statutes, and tax conventions; and includes assessment, collection, enforcement, litigation, publication, and statistical gathering functions under such laws, statutes or conventions. The Bureau of Alcohol, Tobacco, and Firearms also has collection and enforcement authority under the Internal Revenue Code, and tax administration is, therefore, a part of that component's responsibilities as well;

c. Tax refund offset matches done pursuant to the Deficit Reduction Act of 1984 (DEFRA) because of the due process procedures contained in DEFRA;

d. Tax refund offset matches conducted pursuant to statutes other than DEFRA provided OMB finds the due process provisions of those statutes substantially similar to those of DEFRA.

 

6. Routine administrative matches using Federal personnel records. These are matches between a Federal agency and other Federal agencies or between a Federal agency and non-Federal agencies for administrative purposes that use data bases that contain records predominantly relating to Federal personnel. Matches whose purpose is to take adverse action against Federal personnel are NOT excluded from the Act's coverage.

7. Internal agency matches using only records from the agency's system of records. This exclusion permits agencies to disseminate PA records to agency employees on an official need-to-know basis as provided in the PA under Section (b)(1). This exclusion is lost when adverse intent as to Federal employees motivates the match.

8. Background investigation and foreign counter-intelligence matches. Matches done in the course of performing a background check for security clearance of Federal personnel or Federal contractor personnel are not covered. Matches done for the purpose of foreign counter-intelligence are also excluded.

D. Matching Notice and Publication Requirements

Because the CMPPA does not itself authorize disclosures from systems of records for the purposes of conducting matching programs, agencies must justify any disclosures under section (b) of the PA. This means obtaining the written consent of the record subjects to the disclosure or relying on one of the 12 exceptions to the written consent rule. To rely on exception (b)(3), routine use, a notice of intent to disclose must be published in the Federal Register.

1. There are two ways in which record subjects can receive notice that their records may be matched:

a. By direct notice; e.g., information on the application form when they apply for a benefit or in a notice that arrives with a benefit they receive; or,

b. By constructive notice; e.g., publication of system notices, routine use disclosures, and matching programs in the Federal Register.

Agencies must publish notices of the establishment or alteration of a matching program in the Federal Register at least 30 days prior to conducting such programs. The recipient Federal agency in a match between Federal agencies or in a match in which a non-Federal agency discloses records to a Federal agency is responsible for publishing such notices. Where a state or local agency is the recipient of records from a Federal agency's systems of records, the Federal source agency is responsible for publishing the notice. Where more than one agency is involved in a matching program, the agencies are encouraged to publish a consolidated notice.

2. Notices published in the Federal Register should contain the following information:

a. Name of participating agency or agencies;

b. Purpose of the match;

c. Authority for conducting the match;

d. Categories of records and individuals covered;

e. Inclusive dates of the matching program; and

f. Address for receipt of public comment or inquiries.

E. Report to OMB and Congress

In addition, at least 40 days prior to the initiation of a new or substantially altered matching program, a report must be submitted to OMB and Congress. The report should contain the following information:

1. What alternatives to matching were considered and why a matching program was chosen;

2. The date the match was approved by each participating Federal agency's DIB;

3. Whether a benefit/cost analysis was required and, if so, whether it projected a favorable ratio.

A copy of the Federal Register matching notice describing the match is to be made a part of the report.

F. Preparing and Executing Matching Agreements

Federal agencies receiving records from or disclosing records to non-Federal agencies for use in matching programs are responsible for preparing the matching agreements and should solicit relevant data from non-Federal agencies where necessary. Agencies should allow sufficient lead time to ensure that matching agreements can be negotiated and signed in time to secure DIB decisions. Matching agreements must contain the following:

1. Purpose and legal authority. The Act does not provide independent authority for the operation of a matching program; therefore, a specific Federal or State statutory or regulatory basis must be given for undertaking the program.

2. Justification and expected results. An explanation of why the matching program is being used rather than some other administrative activity and what the results are expected to be.

3. Records description. The Federal system(s) of records should be specifically identified. Included in this description is the number of records, the data elements to be included and the projected starting and completion dates of the matching program.

4. Notice procedures. Describes the general and individual periodic notice procedures and states whether direct notice or constructive notice was given to the record subjects.

5. Verification Procedures. Describes the methods used by the agency to independently verify the information obtained through the matching program.

6. Disposition of Matched Items. Describes when and how the information generated by the matching program will be destroyed once the program's purposes and any legal retention requirements have been met.

7. Security Procedures. Describes the administrative, technical and physical safeguards to be used in protecting the information, commensurate with the level of sensitivity of the data.

8. Records usage, duplication and redisclosure restrictions. This describes any specific restrictions imposed either by the source or recipient agency to keep or use the records and when they will be returned or destroyed. In general, recipient agencies should not subsequently disclose records obtained for a matching program and, under the terms of a matching agreement, for other purposes absent a specific statutory requirement or where the disclosure is essential to the conduct of a matching program.

9. Records accuracy assessments. Describes the quality of the records used in the computer match and indicates whether the records meet the standard imposed by the PA for insuring the accuracy of the records.

10. Comptroller General access. A statement that the Comptroller General may have access to all necessary records of a recipient agency or non-Federal agency to monitor or verify compliance with the agreement.

G. Providing Due Process to Matching Subjects

The CMPPA prescribes certain due process requirements that the subjects of matching programs must be afforded when matches uncover adverse information about them.

1. Verification of adverse information. Agencies may not premise adverse action upon the raw results of a computer match. Any adverse information must be subject to investigation and verification. Absolute confirmation is not required, only a reasonable verification process that yields confirmatory data to the agency to take the intended action.

2. Notice and opportunity to contest. A subject of a computer match in which adverse information is uncovered shall be notified by the agency and given an opportunity to explain prior to any adverse action being taken.

H. Data Integrity Board

The CMPPA requires that each Federal agency that acts as either a source or recipient in a matching program establish a DIB to oversee the agency's participation. Before any component of Treasury participates in a matching program, Treasury's DIB must have evaluated the proposed match and approved the terms of the matching agreement.

The Act requires that the Board consist of senior agency officials designated by the agency head. The only two mandatory members are the Inspector General of the agency, who may not serve as Chairman, and the senior official responsible for the implementation of the PA.

The Treasury DIB is made up of six permanent representatives and three rotational representatives. The permanent members of the DIB are:

1. Deputy Assistant Secretary for Privacy, Transparency, and Records (Chair);

2. Inspector General;

3. Treasury Inspector General for Tax Administration

4. Departmental Privacy Act Officer (Board Secretary);

5. Associate Chief Information Officer, Capital Planning and Information

Management, and

6. Assistant General Counsel (Administrative and General Law);

7. Office of Chief Information Office.

I. Definitions

1. Constructive Notice. The publication of a systems notice, routine use disclosures, and matching program in the Federal Register.

2. Data Integrity Board. A board established by each agency that acts as either a source or recipient in a matching program staffed by senior agency officials to oversee the agency's participation in matching programs.

3. Direct Notice. The subject of a record is provided with a notice on the application form or other document that his/her records may be matched.

4. Non-Federal Agency. A non-federal agency is a State or local governmental agency that receives records contained in a system of records from a Federal agency to be used in a matching program.

5 Matching Program. A comparison of records using a computer. The records must exist in automated form in order to perform the match.

6. Recipient Agency. Federal agencies (or their contractors) that receive records from the PA systems of records of other Federal agencies or from State or local governments to be used in a matching program.

7. Source Agency. A Federal agency that discloses records from a system of records to another Federal agency or to a State or local governmental agency to be used in a matching program.


 TOP


Appendix A

A. Definitions

B. Conditions of Disclosure

C. Accounting for Certain Disclosures

D. Access to Records

E. Agency Requirements

F. Agency Rules

G. Civil Remedies

H. Rights of Legal Guardians

I. Criminal Penalties

J. General Exemptions

K. Specific Exemptions

L. Archival Records

M. Government Contractors

N. Mailing Lists

O. Matching Agreements

P. Verificiation and Opportunity Contest Findings

Q. Sanctions

R. Report on New Systems and Matching Programs

S. Biennial report

T. Effect of Other Laws

U. Data Integrity Boards

V. Office of Management and Budget Responsibilities

 

 

Appendix A

§ 552a. Records maintained on individuals A. Definitions

For purposes of this section--

(1) the term "agency" means agency as defined in section 552(f) of this title;

(2) the term "individual" means a citizen of the United States or an alien lawfully admitted for permanent residence;

(3) the term "maintain" includes maintain, collect, use or disseminate;

(4) the term "record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph;

(5) the term "system of records" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual;

(6) the term "statistical record" means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by section 8 of Title 13;

(7) the term "routine use" means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected;

(8) the term "matching program"--

(A) means any computerized comparison of—

(i) two or more automated systems of records or a system of records with non-Federal records for the purpose of—

(I) establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or

(II) recouping payments or delinquent debts under such Federal benefit programs, or

(ii) two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records,

(B) but does not include—

(i) matches performed to produce aggregate statistical data without any personal identifiers;

(ii) matches performed to support any research or statistical project, the specific data of which may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals;

(iii) matches performed, by an agency (or component thereof) which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons;

(iv) matches of tax information (I) pursuant to section 6103(d) of the Internal Revenue Code of 1986, (II) for purposes of tax administration as defined in section 6103(b)(4) of such Code, (III) for the purpose of intercepting a tax refund due an individual under authority granted by section 404(e), 464, or 1137 of the Social Security Act; or (IV) for the purpose of intercepting a tax refund due an individual under any other tax refund intercept program authorized by statute which has been determined by the Director of the Office of Management and Budget to contain verification, notice, and hearing requirements that are substantially similar to the procedures in section 1137 of the Social Security Act;

(v) matches--

(I) using records predominantly relating to Federal personnel, that are performed for routine administrative purposes (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v)); or

(II) conducted by an agency using only records from systems of records maintained by that agency;

if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel; or

(vi) matches performed for foreign counterintelligence purposes or to produce background checks for security clearances of Federal personnel or Federal contractor personnel;

(vii) matches performed incident to a levy described in section 6103(k)(8) of the Internal Revenue Code of 1986; or

(viii) matches performed pursuant to section 202(x)(3) or 1611(e)(1) of the Social Security Act (42 U.S.C. § 402(x)(3), § 1382(e)(1);

 

(9) the term "recipient agency" means any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program;

(10) the term "non-Federal agency" means any State or local government, or agency thereof, which receives records contained in a system of records from a source agency for use in a matching program;

(11) the term "source agency" means any agency which discloses records contained in a system of records to be used in a matching program, or any State or local government, or agency thereof, which discloses records to be used in a matching program;

(12) the term "Federal benefit program" means any program administered or funded by the Federal Government, or by any agent or State on behalf of the Federal Government, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals; and

(13) the term "Federal personnel" means officers and employees of the Government of the United States, members of the uniformed services (including members of the Reserve Components), individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits).

B. Conditions of Disclosure

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be--

(1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;

(2) required under section 552 of this title;

(3) for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section;

(4) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title 13;

(5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;

(6) to the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;

(7) to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;

(8) to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual;

(9) to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;

(10) to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office;

(11) pursuant to the order of a court of competent jurisdiction; or

(12) to a consumer reporting agency in accordance with section 3711(e) of Title 31.

C. Accounting for Certain Disclosures

Each agency, with respect to each system of records under its control, shall—

(1) except for disclosures made under subsections (b)(1) or (b)(2) of this section, keep an accurate accounting of--

 

(A) the date, nature, and purpose of each disclosure of a record to any person or to another agency made under subsection (b) of this section; and

(B) the name and address of the person or agency to whom the disclosure is made;

 

(2) retain the accounting made under paragraph (1) of this subsection for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made;

(3) except for disclosures made under subsection (b)(7) of this section, make the accounting made under paragraph (1) of this subsection available to the individual named in the record at his request; and

(4) inform any person or other agency about any correction or notation of dispute made by the agency in accordance with subsection (d) of this section of any record that has been disclosed to the person or agency if an accounting of the disclosure was made.

D. Access to Records

Each agency that maintains a system of records shall—

(1) upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence;

(2) permit the individual to request amendment of a record pertaining to him and--

 

(A) not later than 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such request, acknowledge in writing such receipt; and

(B) promptly, either--

(i) make any correction of any portion thereof which the individual believes is not accurate, relevant, timely, or complete; or

(ii) inform the individual of its refusal to amend the record in accordance with his request, the reason for the refusal, the procedures established by the agency for the individual to request a review of that refusal by the head of the agency or an officer designated by the head of the agency, and the name and business address of that official;

 

(3) permit the individual who disagrees with the refusal of the agency to amend his record to request a review of such refusal, and not later than 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requests such review, complete such review and make a final determination unless, for good cause shown, the head of the agency extends such 30-day period; and if, after his review, the reviewing official also refuses to amend the record in accordance with the request, permit the individual to file with the agency a concise statement setting forth the reasons for his disagreement with the refusal of the agency, and notify the individual of the provisions for judicial review of the reviewing official's determination under subsection (g)(1)(A) of this section;

(4) in any disclosure, containing information about which the individual has filed a statement of disagreement, occurring after the filing of the statement under paragraph (3) of this subsection, clearly note any portion of the record which is disputed and provide copies of the statement and, if the agency deems it appropriate, copies of a concise statement of the reasons of the agency for not making the amendments requested, to persons or other agencies to whom the disputed record has been disclosed; and

(5) nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

E. Agency Requirements

Each agency that maintains a system of records shall—

(1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive order of the President;

(2) collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs;

(3) inform each individual whom it asks to supply information, on the form which it uses to collect the information or on a separate form that can be retained by the individual--

 

(A) the authority (whether granted by statute, or by Executive order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary;

(B) the principal purpose or purposes for which the information is intended to be used;

(C) the routine uses which may be made of the information, as published pursuant to paragraph (4)(D) of this subsection; and

(D) the effects on him, if any, of not providing all or any part of the requested information;

 

(4) subject to the provisions of paragraph (11) of this subsection, publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include—

 

(A) the name and location of the system;

(B) the categories of individuals on whom records are maintained in the system;

(C) the categories of records maintained in the system;

(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use;

(E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;

(F) the title and business address of the agency official who is responsible for the system of records;

(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;

(H) the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records, and how he can contest its content; and

(I) the categories of sources of records in the system;

 

(5) maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;

(6) prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section, make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes;

(7) maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;

(8) make reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record;

(9) establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance;

(10) establish appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained;

(11) at least 30 days prior to publication of information under paragraph (4)(D) of this subsection, publish in the Federal Register notice of any new use or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency; and

(12) if such agency is a recipient agency or a source agency in a matching program with a non-Federal agency, with respect to any establishment or revision of a matching program, at least 30 days prior to conducting such program, publish in the Federal Register notice of such establishment or revision.

F. Agency Rules

In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules, in accordance with the requirements (including general notice) of section 553 of this title, which shall—

(1) establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him;

(2) define reasonable times, places, and requirements for identifying an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual;

(3) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the disclosure to an individual of medical records, including psychological records, pertaining to him;

(4) establish procedures for reviewing a request from an individual concerning the amendment of any record or information pertaining to the individual, for making a determination on the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this section; and

(5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of the record.

The Office of the Federal Register shall biennially compile and publish the rules promulgated under this subsection and agency notices published under subsection (e)(4) of this section in a form available to the public at low cost.

 

G. Civil Remedies

(1) Whenever any agency

 

(A) makes a determination under subsection (d)(3) of this section not to amend an individual's record in accordance with his request, or fails to make such review in conformity with that subsection;

(B) refuses to comply with an individual request under subsection (d)(1) of this section;

(C) fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual; or

(D) fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.

 

(2)(A) In any suit brought under the provisions of subsection (g)(1)(A) of this section, the court may order the agency to amend the individual's record in accordance with his request or in such other way as the court may direct. In such a case the court shall determine the matter de novo.

 

(B) The court may assess against the United States reasonable attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

 

(3)(A) In any suit brought under the provisions of subsection (g)(1)(B) of this section, the court may enjoin the agency from withholding the records and order the production to the complainant of any agency records improperly withheld from him. In such a case the court shall determine the matter de novo, and may examine the contents of any agency records in camera to determine whether the records or any portion thereof may be withheld under any of the exemptions set forth in subsection (k) of this section, and the burden is on the agency to sustain its action.

 

(B) The court may assess against the United States reasonable attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

 

(4) In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of--

 

 

(A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and

(B) the costs of the action together with reasonable attorney fees as determined by the court.

 

(5) An action to enforce any liability created under this section may be brought in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in which the agency records are situated, or in the District of Columbia, without regard to the amount in controversy, within two years from the date on which the cause of action arises, except that where an agency has materially and willfully misrepresented any information required under this section to be disclosed to an individual and the information so misrepresented is material to establishment of the liability of the agency to the individual under this section, the action may be brought at any time within two years after discovery by the individual of the misrepresentation. Nothing in this section shall be construed to authorize any civil action by reason of any injury sustained as the result of a disclosure of a record prior to September 27, 1975.

H. Rights of Legal Guardians

For the purposes of this section, the parent of any minor, or the legal guardian of any individual who has been declared to be incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, may act on behalf of the individual.

I. Criminal Penalties

(1) Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.

 

J. General Exemptions

The head of any agency may promulgate rules, in accordance with the requirements (including general notice) of sections 553(b)(1), (2), and (3), (c), and (e) of this title, to exempt any system of records within the agency from any part of this section except subsections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6), (7), (9), (10), and (11), and (i) if the system of records is—

(1) maintained by the Central Intelligence Agency; or

(2) maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of (A) information compiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or (C) reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision.

At the time rules are adopted under this subsection, the agency shall include in the statement required under section 553(c) of this title, the reasons why the system of records is to be exempted from a provision of this section.

 

K. Specific Exemptions

The head of any agency may promulgate rules, in accordance with the requirements (including general notice) of sections 553(b)(1), (2), and (3), (c), and (e) of this title, to exempt any system of records within the agency from subsections (c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f) of this section if the system of records is—

(1) subject to the provisions of section 552(b)(1) of this title;

(2) investigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of this section: Provided, however, That if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence;

(3) maintained in connection with providing protective services to the President of the United States or other individuals pursuant to section 3056 of Title 18;

(4) required by statute to be maintained and used solely as statistical records;

(5) investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence;

(6) testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process; or

(7) evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence.

At the time rules are adopted under this subsection, the agency shall include in the statement required under section 553(c) of this title, the reasons why the system of records is to be exempted from a provision of this section.

 

L. Archival Records

(1) Each agency record which is accepted by the Archivist of the United States for storage, processing, and servicing in accordance with section 3103 of Title 44 shall, for the purposes of this section, be considered to be maintained by the agency which deposited the record and shall be subject to the provisions of this section. The Archivist of the United States shall not disclose the record except to the agency which maintains the record, or under rules established by that agency which are not inconsistent with the provisions of this section.

(2) Each agency record pertaining to an identifiable individual which was transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, prior to the effective date of this section, shall, for the purposes of this section, be considered to be maintained by the National Archives and shall not be subject to the provisions of this section, except that a statement generally describing such records (modeled after the requirements relating to records subject to subsections (e)(4)(A) through (G) of this section) shall be published in the Federal Register.

(3) Each agency record pertaining to an identifiable individual which is transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, on or after the effective date of this section, shall, for the purposes of this section, be considered to be maintained by the National Archives and shall be exempt from the requirements of this section except subsections (e)(4)(A) through (G) and (e)(9) of this section.

 

 

M. Government Contractors

(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency.

(2) A consumer reporting agency to which a record is disclosed under section 3711(e) of Title 31 shall not be considered a contractor for the purposes of this section.

 

N. Mailing Lists

An individual's name and address may not be sold or rented by an agency unless such action is specifically authorized by law. This provision shall not be construed to require the withholding of names and addresses otherwise permitted to be made public.

O. Matching Agreements

1) No record which is contained in a system of records may be disclosed to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency specifying--

(A) the purpose and legal authority for conducting the program;

(B) the justification for the program and the anticipated results, including a specific estimate of any savings;

(C) a description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program;

(D) procedures for providing individualized notice at the time of application, and notice periodically thereafter as directed by the Data Integrity Board of such agency (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v)), to--

(i) applicants for and recipients of financial assistance or payments under Federal benefit programs, and

(ii) applicants for and holders of positions as Federal personnel, that any information provided by such applicants, recipients, holders, and individuals may be subject to verification through matching programs;

(E) procedures for verifying information produced in such matching program as required by subsection (p);

(F) procedures for the retention and timely destruction of identifiable records created by a recipient agency or non-Federal agency in such matching program;

(G) procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs;

(H) prohibitions on duplication and redisclosure of records provided by the source agency within or outside the recipient agency or the non-Federal agency, except where required by law or essential to the conduct of the matching program;

(I) procedures governing the use by a recipient agency or non-Federal agency of records provided in a matching program by a source agency, including procedures governing return of the records to the source agency or destruction of records used in such program;

(J) information on assessments that have been made on the accuracy of the records that will be used in such matching program; and

(K) that the Comptroller General may have access to all records of a recipient agency or a non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement.

 

(2)(A) A copy of each agreement entered into pursuant to paragraph (1) shall--

(i) be transmitted to the Committee on Governmental Affairs of the Senate and the Committee on Government Operations of the House of Representatives; and

 

(ii) be available upon request to the public.

(B) No such agreement shall be effective until 30 days after the date on which such a copy is transmitted pursuant to subparagraph (A)(i).

(C) Such an agreement shall remain in effect only for such period, not to exceed 18 months, as the Data Integrity Board of the agency determines is appropriate in light of the purposes, and length of time necessary for the conduct, of the matching program.

(D) Within 3 months prior to the expiration of such an agreement pursuant to subparagraph (C), the Data Integrity Board of the agency may, without additional review, renew the matching agreement for a current, ongoing matching program for not more than one additional year if--

(i) such program will be conducted without any change; and

(ii) each party to the agreement certifies to the Board in writing that the program has been conducted in compliance with the agreement.

 

P. Verification and Opportunity Contest Findings

(1) In order to protect any individual whose records are used in a matching program, no recipient agency, non-Federal agency, or source agency may suspend, terminate, reduce, or make a final denial of any financial assistance or payment under a Federal benefit program to such individual, or take other adverse action against such individual, as a result of information produced by such matching program, until--

 

(A)(i) the agency has independently verified the information; or

(ii) the Data Integrity Board of the agency, or in the case of a non-Federal agency the Data Integrity Board of the source agency, determines in accordance with guidance issued by the Director of the Office of Management and Budget that—

(I) the information is limited to identification and amount of benefits paid by the source agency under a Federal benefit program; and

(II) there is a high degree of confidence that the information provided to the recipient agency is accurate;

(B) the individual receives a notice from the agency containing a statement of its findings and informing the individual of the opportunity to contest such findings; and

(C)(i) the expiration of any time period established for the program by statute or regulation for the individual to respond to that notice; or

(ii) in the case of a program for which no such period is established, the end of the 30-day period beginning on the date on which notice under subparagraph (B) is mailed or otherwise provided to the individual.

 

(2) Independent verification referred to in paragraph (1) requires investigation and confirmation of specific information relating to an individual that is used as a basis for an adverse action against the individual, including where applicable investigation and confirmation of--

 

(A) the amount of any asset or income involved;

(B) whether such individual actually has or had access to such asset or income for such individual's own use; and

(C) the period or periods when the individual actually had such asset or income.

 

(3) Notwithstanding paragraph (1), an agency may take any appropriate action otherwise prohibited by such paragraph if the agency determines that the public health or public safety may be adversely affected or significantly threatened during any notice period required by such paragraph.

Q. Sanctions

(1) Notwithstanding any other provision of law, no source agency may disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for a matching program if such source agency has reason to believe that the requirements of subsection (p), or any matching agreement entered into pursuant to subsection (o), or both, are not being met by such recipient agency.

(2) No source agency may renew a matching agreement unless--

 

(A) the recipient agency or non-Federal agency has certified that it has complied with the provisions of that agreement; and

(B) the source agency has no reason to believe that the certification is inaccurate.

 

R. Report on New Systems and Matching Programs

Each agency that proposes to establish or make a significant change in a system of records or a matching program shall provide adequate advance notice of any such proposal (in duplicate) to the Committee on Government Operations of the House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget in order to permit an evaluation of the probable or potential effect of such proposal on the privacy or other rights of individuals.

S. Biennial report

Repealed by the Federal Reports Elimination and Sunset Act of 1995, Pub. L. No. 104-66, § 3003, 109 Stat. 707, 734-36 (1995), amended by Pub. L. No. 106-113, § 236, 113 Stat. 1501, 1501A-302 (1999) (changing effective date to May 15, 2000).

T. Effect of Other Laws

(1) No agency shall rely on any exemption contained in section 552 of this title to withhold from an individual any record which is otherwise accessible to such individual under the provisions of this section.

(2) No agency shall rely on any exemption in this section to withhold from an individual any record which is otherwise accessible to such individual under the provisions of section 552 of this title.

 

U. Data Integrity Boards

(1) Every agency conducting or participating in a matching program shall establish a Data Integrity Board to oversee and coordinate among the various components of such agency the agency's implementation of this section.

(2) Each Data Integrity Board shall consist of senior officials designated by the head of the agency, and shall include any senior official designated by the head of the agency as responsible for implementation of this section, and the inspector general of the agency, if any. The inspector general shall not serve as chairman of the Data Integrity Board.

(3) Each Data Integrity Board--

(A) shall review, approve, and maintain all written agreements for receipt or disclosure of agency records for matching programs to ensure compliance with subsection (o), and all relevant statutes, regulations, and guidelines;

(B) shall review all matching programs in which the agency has participated during the year, either as a source agency or recipient agency, determine compliance with applicable laws, regulations, guidelines, and agency agreements, and assess the costs and benefits of such programs;

(C) shall review all recurring matching programs in which the agency has participated during the year, either as a source agency or recipient agency, for continued justification for such disclosures;

(D) shall compile an annual report, which shall be submitted to the head of the agency and the Office of Management and Budget and made available to the public on request, describing the matching activities of the agency, including--

(i) matching programs in which the agency has participated as a source agency or recipient agency;

(ii) matching agreements proposed under subsection (o) that were disapproved by the Board;

(iii) any changes in membership or structure of the Board in the preceding year;

(iv) the reasons for any waiver of the requirement in paragraph (4) of this section for completion and submission of a cost-benefit analysis prior to the approval of a matching program;

(v) any violations of matching agreements that have been alleged or identified and any corrective action taken; and

(vi) any other information required by the Director of the Office of Management and Budget to be included in such report;

(E) shall serve as a clearinghouse for receiving and providing information on the accuracy, completeness, and reliability of records used in matching programs;

(F) shall provide interpretation and guidance to agency components and personnel on the requirements of this section for matching programs;

(G) shall review agency recordkeeping and disposal policies and practices for matching programs to assure compliance with this section; and

(H) may review and report on any agency matching activities that are not matching programs.

(4)(A) Except as provided in subparagraphs (B) and (C), a Data Integrity Board shall not approve any written agreement for a matching program unless the agency has completed and submitted to such Board a cost-benefit analysis of the proposed program and such analysis demonstrates that the program is likely to be cost effective.

 

(B) The Board may waive the requirements of subparagraph (A) of this paragraph if it determines in writing, in accordance with guidelines prescribed by the Director of the Office of Management and Budget, that a cost-benefit analysis is not required.

(C) A cost-benefit analysis shall not be required under subparagraph (A) prior to the initial approval of a written agreement for a matching program that is specifically required by statute. Any subsequent written agreement for such a program shall not be approved by the Data Integrity Board unless the agency has submitted a cost-benefit analysis of the program as conducted under the preceding approval of such agreement.

(5)(A) If a matching agreement is disapproved by a Data Integrity Board, any party to such agreement may appeal the disapproval to the Director of the Office of Management and Budget. Timely notice of the filing of such an appeal shall be provided by the Director of the Office of Management and Budget to the Committee on Governmental Affairs of the Senate and the Committee on Government Operations of the House of Representatives.

 

(B) The Director of the Office of Management and Budget may approve a matching agreement notwithstanding the disapproval of a Data Integrity Board if the Director determines that—

(i) the matching program will be consistent with all applicable legal, regulatory, and policy requirements;

(ii) there is adequate evidence that the matching agreement will be cost- effective; and

(iii) the matching program is in the public interest.

(C) The decision of the Director to approve a matching agreement shall not take effect until 30 days after it is reported to committees described in subparagraph (A).

(D) If the Data Integrity Board and the Director of the Office of Management and Budget disapprove a matching program proposed by the inspector general of an agency, the inspector general may report the disapproval to the head of the agency and to the Congress.

(6) The Director of the Office of Management and Budget shall, annually during the first 3 years after the date of enactment of this subsection and biennially thereafter, consolidate in a report to the Congress the information contained in the reports from the various Data Integrity Boards under paragraph (3)(D). Such report shall include detailed information about costs and benefits of matching programs that are conducted during the period covered by such consolidated report, and shall identify each waiver granted by a Data Integrity Board of the requirement for completion and submission of a cost-benefit analysis and the reasons for granting the waiver.

(7) In the reports required by paragraphs (3)(D) and (6), agency matching activities that are not matching programs may be reported on an aggregate basis, if and to the extent necessary to protect ongoing law enforcement or counterintelligence investigations.

 

V. Office of Management and Budget Responsibilities

The Director of the Office of Management and Budget shall—

(1) develop and, after notice and opportunity for public comment, prescribe guidelines and regulations for the use of agencies in implementing the provisions of this section; and

(2) provide continuing assistance to and oversight of the implementation of this section by agencies.

The following section originally was part of the Privacy Act but was not codified; it may be found at § 552a (note).

Sec. 7(a) (1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number.

(2) the provisions of paragraph (1) of this subsection shall not apply with respect to--

(A) any disclosure which is required by Federal statute, or

(B) any disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

(b) Any Federal, State or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

The following sections originally were part of P.L. 100-503, the Computer Matching and Privacy Protection Act of 1988; they may be found at § 552a (note).

Sec. 6 Functions of the Director of the Office of Management and Budget.

(b) Implementation Guidance for Amendments -- The Director shall, pursuant to section 552a(v) of Title 5, United States Code, develop guidelines and regulations for the use of agencies in implementing the amendments made by this Act not later than 8 months after the date of enactment of this Act.

Sec. 9 Rules of Construction.

Nothing in the amendments made by this Act shall be construed to authorize--

(1) the establishment or maintenance by any agency of a national data bank that combines, merges, or links information on individuals maintained in systems of records by other Federal agencies;

(2) the direct linking of computerized systems of records maintained by Federal agencies;

(3) the computer matching of records not otherwise authorized by law; or

(4) the disclosure of records for computer matching except to a Federal, State, or local agency.

Sec. 10 Effective Dates.

(a) In Genera l -- Except as provided in subsection (b), the amendments made by this Act shall take effect 9 months after the date of enactment of this Act.

(b) Exceptions -- The amendment made by sections 3(b) [Notice of Matching Programs -- Report to Congress and the Office of Management and Budget], 6 [Functions of the Director of the Office of Management and Budget], 7 [Compilation of Rules and Notices], and 8 [Annual Report] of this Act shall take effect upon enactment.

 TOP

Last Updated: 10/14/2015 2:11 PM

Contact Us

Department of the Treasury
1500 Pennsylvania Ave., N.W.
Washington, D.C. 20220

General Information: (202) 622-2000
Fax: (202) 622-6415
Hours: Mon-Fri 8:00am - 5:00pm

Untitled 1
Untitled 1

E-Mail Signup

Sign Up to Receive Treasury.gov News src= Sign up to Receive
Treasury.gov News