From the Privacy Act Online via GPO Access [wais.access.gpo.gov] [DOCID:exec-8] PRIVACY ACT RULES EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF ADMINISTRATION Title 5-Administrative Personnel Chapter XV-Office of Administration, Executive Office of the President PART 2504--PRIVACY ACT REGULATIONS Sec. 2504.1 Purpose and scope. 2504.2 Definitions. 2504.3 Annual notice of systems of records maintained. 2504.4 Determining if an individual is the subject of a record. 2504.5 Granting access to a record. 2504.6 Special procedures for medical records. 2504.7 Granting access when accompanied by another individual. 2504.8 Action on request. 2504.9 Identification requirements. 2504.10 Access of others to records about an individual. 2504.11 Access to the accounting of disclosures from records. 2504.12 Denials of access. 2504.13 Requirements for requests to amend records. 2504.14 Action on request to amend a record. 2504.15 Procedures for appeal of determination to deny access to or to amendment of records. 2504.16 Appeals process. 2504.17 Fees. 2504.18 Penalties. Authority: 5 U.S.C. 552a. Source: 45 FR 41121, June 18, 1980, unless otherwise noted. Sec. 2504.1 Purpose and scope. These regulations implement the Privacy Act of 1974, 5 U.S.C. 552a. The regulations apply to all records maintained by the Office of Administration that are contained in a system of records, and that contain information about an individual. The regulations also establish procedures that (a) authorize an individual's access to records maintained about him; (b) limit the access of other persons to those records, and (c) permit an individual to request the amendment or correction of records about him. Sec. 2504.2 Definitions. For the purposes of this part-- (a) ``Office'' means the Office of Administration, Executive Office of the President; (b) ``Individual'' means a citizen of the United States or an alien lawfully admitted for permanent residence. (c) ``Maintain'' means collect, use or distribute; (d) ``Record'' means any item collection or grouping of information about an individual that is maintained by the Office, including but not limited to education, financial transactions, medical history, and criminal or employment history and that contain's the individual's name, identifying number, symbol, or other identifiers assigned to the individual, such as a finger or voice print or photograph; (e) ``System of records'' means a group of any records controlled by the Office and from which information is retrieved by the name of the individual; (f) ``System manager'' means the employee of the Office who is responsible for the maintenance, collection, use or distribution of information contained in a system of records; (g) ``Routine use'' means, with respect to the disclosure of a record, the use of that record for a purpose consistent with the purpose for which it was collected; (h) ``Subject individual'' means the individual by whose name or other personal identifier a record is maintained or retrieved; (i) ``Statistical record'' means record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by section 8 of Title 13 U.S.C.; (j) ``Agency'' means agency as defined in 5 U.S.C. 552(e); (k) ``Work days'' as used in calculating the date when response is due does not include Saturdays, Sundays and legal public holidays. Sec. 2504.3 Annual notice of systems of records maintained. The Office will publish in the Federal Register upon establishment or revision a notice of the existence and character of the systems of records the Office maintains. The notice shall include (a) the system name, (b) the system location, (c) the categories of individuals covered by the system, (d) the categories of records in the system, (e) the Office's authority to maintain the system, (f) the routine uses of the system, (g) the Office's policies and practice for maintenance of the system, (h) the system manager, (i) the procedures for notification, access to and correction of records in the system, and (j) the sources of information for the system. [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.4 Determining if an individual is the subject of a record. (a) Individuals desiring to know if a specific system of records maintained by the Office contains a record pertaining to them should address inquiries to the Privacy Act Officer, Office of Administration, Washington, DC 20503. (b) Inquiries must be in writing and the words ``PRIVACY ACT REQUEST'' should be printed on both the letter and the envelope. The request letter should contain the complete name and identifying number of the pertinent system as published in the annual Federal Register notice describing the Office's Systems of Records; the full name and address of the subject individual; a brief description of the nature, time, place and circumstances of the individual's prior association with the Office; and any other information the individual believes would help the Privacy Act Officer determine whether the information about the individual is included in the system of records. In instances when the information is insufficient to ensure disclosure to the subject individual to whom the record pertains, the Office reserves the right to ask the requestor for additional identifying information. (c) To the extent possible, the Privacy Act Officer will answer or acknowledge the inquiry within 10 work days of its receipt by the Office. When the response cannot be made within 10 work days, the Privacy Act Officer will provide the requestor with the date when a response may be expected and, whenever possible, the specific reasons for the delay. [45 FR 41121, June 18, 1980, as amended at 49 FR 28235, July 11, 1984] Sec. 2504.5 Granting access to a record. (a) An individual requesting access to a record about himself in a system of records maintained by the Office should submit the request in writing to the Privacy Act Officer. Due to security measures at the Old and New Executive Office Buildings, requests made in person can only be accepted from current Office employees, who should make access requests to the Privacy Act Officer on regularly scheduled work days between 9 a.m. and 5:30 p.m. (b) The request for access should contain the same information set forth in Sec. 2504.4(b). However, if the request for access follows a request made under Sec. 2504.4(a) and (b) of this part, the same identifying information need not be included: Provided, That a copy of the prior request or a copy of the Office's response to that request is attached. The request should state if a copy of the record is desired. [45 FR 41121, June 18, 1980, as amended by 49 FR 28235, July 11, 1984] Sec. 2504.6 Special procedures for medical records. (a) When the Privacy Officer receives a request from an individual for access to those official medical records which belong to the Office of Personnel Management and are described in Chapter 339, Federal Personnel Manual (medical records about entrance qualification or fitness for duty, or medical records which are otherwise filed in the Official Personnel Folder), the pertinent records shall be referred to a Federal Medical Officer for review and determination in accordance with this section. If no Federal Medical Officer is available to make the determination required by this section, the Privacy Act Officer shall refer the request and the medical reports concerned to the Office of Personnel Management for determination. (b) If, in the opinion of a Federal Medical Officer, medical records requested by the subject individual indicate a condition about which a prudent physician would hesitate to inform a person suffering from such a condition of its exact nature and probable outcome, the Privacy Officer shall not release the medical information to the subject individual nor to any person other than a physician designated in writing by the subject individual, his guardian, or conservator. (c) If, in the opinion of a Federal Medical Officer, the medical information does not indicate the presence of any condition which would cause a prudent physician to hesitate to inform a person suffering from such a condition of its exact nature and probably outcome, the Privacy Act Officer shall release it to the subject individual or to any person, firm, or organization which the individual authorizes in writing to receive it. [45 FR 41121, June 18, 1980, as amended at 49 FR 28235, July 11, 1984] Sec. 2504.7 Granting access when accompanied by another individual. An individual who wishes to have a person of his choosing review, accompany him (or her) in reviewing, or obtain a copy of a record must, prior to the disclosure, sign a statement authorizing the disclosure of his record. The statement shall be maintained with the record. Sec. 2504.8 Action on request. (a) The Privacy Act Officer shall acknowledge requests for access within 10 work days of its receipt by the Office. At a minimum, the acknowledgement shall include: (1) When and where the records will be available; (2) The name, title and telephone number of the official who will make the records available; (3) Whether access will be granted only through providing a copy of the record through the mail, or only by examination of the record in person if the Privacy Act Officer after consulting with the appropriate system manager has determined the requestor's access would not be unduly impeded; (4) Fee, if any, charged for copies. (See Sec. 2504.17); and (5) Identification documentation required to verify the identify of the requestor (see Sec. 2504.9). [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.9 Identification requirements. (a) A requestor should be prepared to identify himself (or herself) by signature, i.e., to note by signature the date of access and/or to produce two other legal forms of identification (driver's license, employee identification, annuitant card, passport, etc.). (b) If an individual is unable to produce adequate identification, the individual shall sign a statement asserting identity and acknowledging that knowingly or willfully seeking or obtaining access to records about another person under false pretenses may result in a fine of up to $5,000 (see Sec. 2504.18). In addition, depending upon the sensitivity of the records, the Privacy Act Officer after consulting with the appropriate system manager may require further reasonable assurances, such as statements of other individuals who can attest to the identity of the requestor. (c) If access is granted by mail, the identity of the requestor shall be verified by comparing signatures. If, in the opinion of the Privacy Act Officer after consulting with the appropriate system manager, the granting of access through the mail may result in harm or embarrassment if disclosed to a person other than the subject individual, a notarized statement of identify or some other similar assurance of identity will be required. [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.10 Access of others to records about an individual. (a) No official or employee of the Office shall disclose any record to any person or to another agency without the express written consent of the subject individual, unless the disclosure is: (1) To officers or employees of the Office who need the information to perform their official duties; (2) Under the requirements of the Freedom of Information Act; (3) For a routine use that has been published in a notice in the Federal Register; (4) To the Bureau of the Census for uses under Title 13 of the United States Code; (5) To a person or agency who has given the Office advance written notice of the purpose of the request and certification that the record will be used only for statistical purposes. (In addition to deleting personal identifying information from records released for statistical purposes, the Privacy Act Officer shall ensure that the identity of the individual cannot reasonably be deduced by combining various statistical records); (6) To the National Archives of the United States if a record has sufficient historical or other value to be preserved by the United States Government, or to the Privacy Act Officer (or a designee) to determine whether the record has that value; (7) In response to written request, that identifies the record and the purpose of the request, made by another agency or instrumentality of any Government jurisdiction within or under the control of the United States for civil or criminal law enforcement activity, if that activity is authorized by law; (8) To a person who, showing compelling circumstances, needs the information to prevent harm to the health or safety of an individual, but not necessarily the individual to whom the record pertains (upon such disclosure, a notification shall be sent to the last know address of the subject individual); (9) To either House of Congress, or to a Congressional committee or subcommittee if the subject matter is within its jurisdiction; (10) To the Comptroller General, or an authorized representative, to carry out the duties of the General Accounting Office; (11) Pursuant to a court order; (12) To a consumer reporting agency in accordance with section 3711(f) of Title 31. [45 FR 41121, Jun. 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.11 Access to the accounting of disclosures from records. Rules governing access to the accounting of disclosures are the same as those granting access to the records. Sec. 2504.12 Denials of access. (a) The Privacy Act Officer may deny an individual access to his (or her) record if: (1) In the opinion of the Privacy Act Officer, the individual seeking access has not provided sufficient identification documentation to permit access; or (2) The Office has published rules in the Federal Register exempting the pertinent system of records from the access requirement. (b) If access is denied, the requestor shall be informed of the reasons for denial and the procedures to obtain a review of the denial (see Sec. 2504.15). [45 FR 41121, June 18,1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.13 Requirements for requests to amend records. (a) Individuals who desire to correct or amend a record pertaining to them should submit a written request to the Privacy Act Officer, Office of Administration, Washington, DC 20503. The words ``PRIVACY ACT-- REQUEST TO AMEND RECORD'' should be written on the letter and the envelope. (b) The request for amendment or correction of the record must state the exact name of the system of records as published in the Federal Register; a precise description of the record proposed for amendment; a brief statement describing the information the requestor believes to be inaccurate or incomplete, and why; and, the amendment or correction desired. If the request to amend the record is the result of the individual's having accessed the record in accordance with Sec. Sec. 2504.5, 2504.6, 2504.7, 2504.8 of this part, copies of previous correspondence between the requestor and the Office should be attached, if possible. (c) Individuals needing assistance in preparing a request to amend a record may contact the Privacy Act Officer at the address cited in Sec. 2504.13(a) of this part. (d) If the individual's identity has not been previously verified, the Office may require identification documentation as described in Sec. 2504.9. [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.14 Action on request to amend a record. (a) A request for amendment of a record will be acknowledged within 10 work days of its receipt by the Office. If a decision cannot be made within this time, the requestor will be informed by mail of the reasons for the delay and the date when a reply can be expected, normally within 30 work days from receipt of the request. (b) The final response will include the Office's determination of whether to grant or deny the request. If the request is denied, the response will include: (1) The reasons for the decision; (2) The name and address of the official to whom an appeal should be directed; (3) The name and address of the official designated to assist the individual in preparing the appeal; (4) A description of the appeal process within the Office; and (5) A description of any other procedures which may be required of the individual in order to process the appeal. Sec. 2504.15 Procedures for appeal of determination deny access to or amendment of records. (a) Individuals who disagree with the refusal of the Office to grant them access to or to amend a record about them should submit a written request for review to the Privacy Act Officer, Office of Administration, Washington, DC 20503. The words ``PRIVACY ACT--APPEAL'' should be written on the letter and the envelope. Individuals desiring assistance preparing their appeal should contact the Privacy Act Officer. (b) The appeal letter must be received by the Office within 30 calendar days from the date the requestor received the notice of denial. At a minimum, the appeal letter should identify: (1) The records involved; (2) The date of the initial request for access to or amendment of the record; (3) The date of the Office denial of that request; and (4) The reasons supporting the request for reversal of the Office's decision. Copies of previous correspondence from the Office denying the request to access or amend the record should also be attached, if possible. (c) The Office reserves the right to dispose of correspondence concerning the request to access or amend a record if no request for review of the Office's decision is received within 180 days of the decision date. Therefore, a request for review received after 180 days may, at the discretion of the Privacy Act Officer, be treated as an initial request to access or amend a record. [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11,1984] Sec. 2504.16 Appeals process. (a) Within 20 work days of receiving the request for review, a review group composed of the Privacy Act Officer, the General Counsel and the Official having operational control over the record, will propose a determination on the appeal for the Director's final decision. If a final determination cannot be made in 20 days, the requestor will be informed of the reasons for the delay and the date on which a final decision can be expected. Such extensions are unusal, and should not exceed an additional 30 work days. (b) If the original request was for access and the initial determination is reversed, the procedures in Sec. 2504.8 will be followed. If the initial determination is upheld, the requestor will be so informed and advised of the right to judicial review pursuant to 5 U.S.C. 552a(g). (c) If the initial denial of a request to amend a record is reversed, the Office will correct the record as requested and advise the individual of the correction. If the original decision is upheld, the requestor will be so advised and informed in writing of the right to judicial review pursuant to 5 U.S.C. 552a(g). In addition, the requestor will be advised of his (or her) right to file a concise statement of disagreement with the Director. The statement of disagreement should include an explanation of why the requestor believes the record is inaccurate, irrelevant, untimely or incomplete. The Director shall maintain the statement of disagreement with the disputed record, and shall include a copy of the statement of disagreement in any disclosure of the record. Additionally, the Privacy Act Officer shall provide a copy of the statement of disagreement to any person or agency to whom the record has been disclosed, if the disclosure was made pursuant to Sec. 2504.10 (5 U.S.C. 552(a)(c)). [45 FR 41121,June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.17 Fees. (a) Individuals will not be charged for: (1) The search and review of the record; (2) Any copies produced to make the record available for access; (3) Copies of the requested record if access can only be accomplished by providing a copy through the mail; and (4) Copies of three (3) or less pages of a requested record. (b) Records will be photocopied for 10 cents per page for four pages or more (except for paragraphs (a)(1), (2), (3), (4) of this section). If the record is larger than 8\1/2\ x 14 inches, the fee will be the cost of reproducing the record through Government or commerical sources. (c) Fees shall be paid in full prior to issuance of requested copies. Payment shall be by personal check or money order payable to the Treasurer of the United States, and mailed or delivered to the Privacy Act Officer, Office of Administration, Washington, DC 20503. (d) The Privacy Act Officer may waive the fee if: (1) The cost of collecting the fee exceeds the amount collected; or (2) The production of the copies at no charge is in the best interest of the government. (e) A receipt will be furnished on request. [45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984] Sec. 2504.18 Penalties. (a) Title 18, U.S.C. section 1001, Crimes and Criminal Procedures, makes it a criminal offense, subject to a maximum fine of $10,000 or imprisonment for not more than five years, or both, to knowingly and willfully make or cause to be made any false or fraudulent statements or representation in any matter within the jurisdiction of any agency of the United States. Section (i) (3) of the Privacy Act (5 U.S.C. 552a) makes it a misdemeanor, subject to a maximum fine of $5,000 to knowingly and willfully request or obtain any record concerning an individual under false pretenses. Sections (i) (1) and (2) or 5 U.S.C. 552a provide penalties for violations by agency employees of the Privacy Act or regulations established thereunder.