![[Footer icon]](/WH/images/footer.gif){kind=small}
From the Privacy Act Online via GPO Access [wais.access.gpo.gov]
[DOCID:exec-8]
PRIVACY ACT RULES
EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF ADMINISTRATION
Title 5-Administrative Personnel
Chapter XV-Office of Administration, Executive Office of the President
PART 2504--PRIVACY ACT REGULATIONS
Sec.
2504.1 Purpose and scope.
2504.2 Definitions.
2504.3 Annual notice of systems of records maintained.
2504.4 Determining if an individual is the subject of a record.
2504.5 Granting access to a record.
2504.6 Special procedures for medical records.
2504.7 Granting access when accompanied by another individual.
2504.8 Action on request.
2504.9 Identification requirements.
2504.10 Access of others to records about an individual.
2504.11 Access to the accounting of disclosures from records.
2504.12 Denials of access.
2504.13 Requirements for requests to amend records.
2504.14 Action on request to amend a record.
2504.15 Procedures for appeal of determination to deny access to or to
amendment of records.
2504.16 Appeals process.
2504.17 Fees.
2504.18 Penalties.
Authority: 5 U.S.C. 552a.
Source: 45 FR 41121, June 18, 1980, unless otherwise noted.
Sec. 2504.1 Purpose and scope.
These regulations implement the Privacy Act of 1974, 5 U.S.C. 552a.
The regulations apply to all records maintained by the Office of
Administration that are contained in a system of records, and that
contain information about an individual. The regulations also establish
procedures that (a) authorize an individual's access to records
maintained about him; (b) limit the access of other persons to those
records, and (c) permit an individual to request the amendment or
correction of records about him.
Sec. 2504.2 Definitions.
For the purposes of this part--
(a) ``Office'' means the Office of Administration, Executive Office of
the President;
(b) ``Individual'' means a citizen of the United States or an alien
lawfully admitted for permanent residence.
(c) ``Maintain'' means collect, use or distribute;
(d) ``Record'' means any item collection or grouping of information
about an individual that is maintained by the Office, including but not
limited to education, financial transactions, medical history, and
criminal or employment history and that contain's the individual's name,
identifying number, symbol, or other identifiers assigned to the
individual, such as a finger or voice print or photograph;
(e) ``System of records'' means a group of any records controlled by
the Office and from which information is retrieved by the name of the
individual;
(f) ``System manager'' means the employee of the Office who is
responsible for the maintenance, collection, use or distribution of
information contained in a system of records;
(g) ``Routine use'' means, with respect to the disclosure of a record,
the use of that record for a purpose consistent with the purpose for
which it was collected;
(h) ``Subject individual'' means the individual by whose name or other
personal identifier a record is maintained or retrieved;
(i) ``Statistical record'' means record in a system of records
maintained for statistical research or reporting purposes only and not
used in whole or in part in making any determination about an
identifiable individual, except as provided by section 8 of Title 13
U.S.C.;
(j) ``Agency'' means agency as defined in 5 U.S.C. 552(e);
(k) ``Work days'' as used in calculating the date when response is due
does not include Saturdays, Sundays and legal public holidays.
Sec. 2504.3 Annual notice of systems of records maintained.
The Office will publish in the Federal Register upon establishment or
revision a notice of the existence and character of the systems of
records the Office maintains. The notice shall include (a) the system
name, (b) the system location, (c) the categories of individuals covered
by the system, (d) the categories of records in the system, (e) the
Office's authority to maintain the system, (f) the routine uses of the
system, (g) the Office's policies and practice for maintenance of the
system, (h) the system manager, (i) the procedures for notification,
access to and correction of records in the system, and (j) the sources
of information for the system.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.4 Determining if an individual is the subject of a record.
(a) Individuals desiring to know if a specific system of records
maintained by the Office contains a record pertaining to them should
address inquiries to the Privacy Act Officer, Office of Administration,
Washington, DC 20503.
(b) Inquiries must be in writing and the words ``PRIVACY ACT REQUEST''
should be printed on both the letter and the envelope. The request
letter should contain the complete name and identifying number of the
pertinent system as published in the annual Federal Register notice
describing the Office's Systems of Records; the full name and address of
the subject individual; a brief description of the nature, time, place
and circumstances of the individual's prior association with the Office;
and any other information the individual believes would help the Privacy
Act Officer determine whether the information about the individual is
included in the system of records. In instances when the information is
insufficient to ensure disclosure to the subject individual to whom the
record pertains, the Office reserves the right to ask the requestor for
additional identifying information.
(c) To the extent possible, the Privacy Act Officer will answer or
acknowledge the inquiry within 10 work days of its receipt by the
Office. When the response cannot be made within 10 work days, the
Privacy Act Officer will provide the requestor with the date when a
response may be expected and, whenever possible, the specific reasons
for the delay.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28235, July 11, 1984]
Sec. 2504.5 Granting access to a record.
(a) An individual requesting access to a record about himself in a
system of records maintained by the Office should submit the request in
writing to the Privacy Act Officer. Due to security measures at the Old
and New Executive Office Buildings, requests made in person can only be
accepted from current Office employees, who should make access requests
to the Privacy Act Officer on regularly scheduled work days between 9
a.m. and 5:30 p.m.
(b) The request for access should contain the same information set
forth in Sec. 2504.4(b). However, if the request for access follows a
request made under Sec. 2504.4(a) and (b) of this part, the same
identifying information need not be included: Provided, That a copy of
the prior request or a copy of the Office's response to that request is
attached. The request should state if a copy of the record is desired.
[45 FR 41121, June 18, 1980, as amended by 49 FR 28235, July 11, 1984]
Sec. 2504.6 Special procedures for medical records.
(a) When the Privacy Officer receives a request from an individual for
access to those official medical records which belong to the Office of
Personnel Management and are described in Chapter 339, Federal Personnel
Manual (medical records about entrance qualification or fitness for
duty, or medical records which are otherwise filed in the Official
Personnel Folder), the pertinent records shall be referred to a Federal
Medical Officer for review and determination in accordance with this
section. If no Federal Medical Officer is available to make the
determination required by this section, the Privacy Act Officer shall
refer the request and the medical reports concerned to the Office of
Personnel Management for determination.
(b) If, in the opinion of a Federal Medical Officer, medical records
requested by the subject individual indicate a condition about which a
prudent physician would hesitate to inform a person suffering from such
a condition of its exact nature and probable outcome, the Privacy
Officer shall not release the medical information to the subject
individual nor to any person other than a physician designated in
writing by the subject individual, his guardian, or conservator.
(c) If, in the opinion of a Federal Medical Officer, the medical
information does not indicate the presence of any condition which would
cause a prudent physician to hesitate to inform a person suffering from
such a condition of its exact nature and probably outcome, the Privacy
Act Officer shall release it to the subject individual or to any person,
firm, or organization which the individual authorizes in writing to
receive it.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28235, July 11, 1984]
Sec. 2504.7 Granting access when accompanied by another individual.
An individual who wishes to have a person of his choosing review,
accompany him (or her) in reviewing, or obtain a copy of a record must,
prior to the disclosure, sign a statement authorizing the disclosure of
his record. The statement shall be maintained with the record.
Sec. 2504.8 Action on request.
(a) The Privacy Act Officer shall acknowledge requests for access
within 10 work days of its receipt by the Office. At a minimum, the
acknowledgement shall include:
(1) When and where the records will be available;
(2) The name, title and telephone number of the official who will make
the records available;
(3) Whether access will be granted only through providing a copy of
the record through the mail, or only by examination of the record in
person if the Privacy Act Officer after consulting with the appropriate
system manager has determined the requestor's access would not be unduly
impeded;
(4) Fee, if any, charged for copies. (See Sec. 2504.17); and
(5) Identification documentation required to verify the identify of
the requestor (see Sec. 2504.9).
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.9 Identification requirements.
(a) A requestor should be prepared to identify himself (or herself) by
signature, i.e., to note by signature the date of access and/or to
produce two other legal forms of identification (driver's license,
employee identification, annuitant card, passport, etc.).
(b) If an individual is unable to produce adequate identification, the
individual shall sign a statement asserting identity and acknowledging
that knowingly or willfully seeking or obtaining access to records about
another person under false pretenses may result in a fine of up to
$5,000 (see Sec. 2504.18). In addition, depending upon the sensitivity
of the records, the Privacy Act Officer after consulting with the
appropriate system manager may require further reasonable assurances,
such as statements of other individuals who can attest to the identity
of the requestor.
(c) If access is granted by mail, the identity of the requestor shall
be verified by comparing signatures. If, in the opinion of the Privacy
Act Officer after consulting with the appropriate system manager, the
granting of access through the mail may result in harm or embarrassment
if disclosed to a person other than the subject individual, a notarized
statement of identify or some other similar assurance of identity will
be required.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.10 Access of others to records about an individual.
(a) No official or employee of the Office shall disclose any record to
any person or to another agency without the express written consent of
the subject individual, unless the disclosure is:
(1) To officers or employees of the Office who need the information to
perform their official duties;
(2) Under the requirements of the Freedom of Information Act;
(3) For a routine use that has been published in a notice in the
Federal Register;
(4) To the Bureau of the Census for uses under Title 13 of the United
States Code;
(5) To a person or agency who has given the Office advance written
notice of the purpose of the request and certification that the record
will be used only for statistical purposes. (In addition to deleting
personal identifying information from records released for statistical
purposes, the Privacy Act Officer shall ensure that the identity of the
individual cannot reasonably be deduced by combining various statistical
records);
(6) To the National Archives of the United States if a record has
sufficient historical or other value to be preserved by the United
States Government, or to the Privacy Act Officer (or a designee) to
determine whether the record has that value;
(7) In response to written request, that identifies the record and the
purpose of the request, made by another agency or instrumentality of any
Government jurisdiction within or under the control of the United States
for civil or criminal law enforcement activity, if that activity is
authorized by law;
(8) To a person who, showing compelling circumstances, needs the
information to prevent harm to the health or safety of an individual,
but not necessarily the individual to whom the record pertains (upon
such disclosure, a notification shall be sent to the last know address
of the subject individual);
(9) To either House of Congress, or to a Congressional committee or
subcommittee if the subject matter is within its jurisdiction;
(10) To the Comptroller General, or an authorized representative, to
carry out the duties of the General Accounting Office;
(11) Pursuant to a court order;
(12) To a consumer reporting agency in accordance with section 3711(f)
of Title 31.
[45 FR 41121, Jun. 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.11 Access to the accounting of disclosures from records.
Rules governing access to the accounting of disclosures are the same
as those granting access to the records.
Sec. 2504.12 Denials of access.
(a) The Privacy Act Officer may deny an individual access to his (or
her) record if: (1) In the opinion of the Privacy Act Officer, the
individual seeking access has not provided sufficient identification
documentation to permit access; or
(2) The Office has published rules in the Federal Register exempting
the pertinent system of records from the access requirement.
(b) If access is denied, the requestor shall be informed of the
reasons for denial and the procedures to obtain a review of the denial
(see Sec. 2504.15).
[45 FR 41121, June 18,1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.13 Requirements for requests to amend records.
(a) Individuals who desire to correct or amend a record pertaining to
them should submit a written request to the Privacy Act Officer, Office
of Administration, Washington, DC 20503. The words ``PRIVACY ACT--
REQUEST TO AMEND RECORD'' should be written on the letter and the
envelope.
(b) The request for amendment or correction of the record must state
the exact name of the system of records as published in the Federal
Register; a precise description of the record proposed for amendment; a
brief statement describing the information the requestor believes to be
inaccurate or incomplete, and why; and, the amendment or correction
desired. If the request to amend the record is the result of the
individual's having accessed the record in accordance with
Sec. Sec. 2504.5, 2504.6, 2504.7, 2504.8 of this part, copies of
previous correspondence between the requestor and the Office should be
attached, if possible.
(c) Individuals needing assistance in preparing a request to amend a
record may contact the Privacy Act Officer at the address cited in
Sec. 2504.13(a) of this part.
(d) If the individual's identity has not been previously verified, the
Office may require identification documentation as described in
Sec. 2504.9.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.14 Action on request to amend a record.
(a) A request for amendment of a record will be acknowledged within 10
work days of its receipt by the Office. If a decision cannot be made
within this time, the requestor will be informed by mail of the reasons
for the delay and the date when a reply can be expected, normally within
30 work days from receipt of the request.
(b) The final response will include the Office's determination of
whether to grant or deny the request. If the request is denied, the
response will include:
(1) The reasons for the decision;
(2) The name and address of the official to whom an appeal should be
directed;
(3) The name and address of the official designated to assist the
individual in preparing the appeal;
(4) A description of the appeal process within the Office; and
(5) A description of any other procedures which may be required of the
individual in order to process the appeal.
Sec. 2504.15 Procedures for appeal of determination deny access to
or amendment of records.
(a) Individuals who disagree with the refusal of the Office to grant
them access to or to amend a record about them should submit a written
request for review to the Privacy Act Officer, Office of Administration,
Washington, DC 20503. The words ``PRIVACY ACT--APPEAL'' should be
written on the letter and the envelope. Individuals desiring assistance
preparing their appeal should contact the Privacy Act Officer.
(b) The appeal letter must be received by the Office within 30
calendar days from the date the requestor received the notice of denial.
At a minimum, the appeal letter should identify:
(1) The records involved;
(2) The date of the initial request for access to or amendment of the
record;
(3) The date of the Office denial of that request; and
(4) The reasons supporting the request for reversal of the Office's
decision.
Copies of previous correspondence from the Office denying the request to
access or amend the record should also be attached, if possible.
(c) The Office reserves the right to dispose of correspondence
concerning the request to access or amend a record if no request for
review of the Office's decision is received within 180 days of the
decision date. Therefore, a request for review received after 180 days
may, at the discretion of the Privacy Act Officer, be treated as an
initial request to access or amend a record.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11,1984]
Sec. 2504.16 Appeals process.
(a) Within 20 work days of receiving the request for review, a review
group composed of the Privacy Act Officer, the General Counsel and the
Official having operational control over the record, will propose a
determination on the appeal for the Director's final decision. If a
final determination cannot be made in 20 days, the requestor will be
informed of the reasons for the delay and the date on which a final
decision can be expected. Such extensions are unusal, and should not
exceed an additional 30 work days.
(b) If the original request was for access and the initial
determination is reversed, the procedures in Sec. 2504.8 will be
followed. If the initial determination is upheld, the requestor will be
so informed and advised of the right to judicial review pursuant to 5
U.S.C. 552a(g).
(c) If the initial denial of a request to amend a record is reversed,
the Office will correct the record as requested and advise the
individual of the correction. If the original decision is upheld, the
requestor will be so advised and informed in writing of the right to
judicial review pursuant to 5 U.S.C. 552a(g). In addition, the requestor
will be advised of his (or her) right to file a concise statement of
disagreement with the Director. The statement of disagreement should
include an explanation of why the requestor believes the record is
inaccurate, irrelevant, untimely or incomplete. The Director shall
maintain the statement of disagreement with the disputed record, and
shall include a copy of the statement of disagreement in any disclosure
of the record. Additionally, the Privacy Act Officer shall provide a
copy of the statement of disagreement to any person or agency to whom
the record has been disclosed, if the disclosure was made pursuant to
Sec. 2504.10 (5 U.S.C. 552(a)(c)).
[45 FR 41121,June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.17 Fees.
(a) Individuals will not be charged for:
(1) The search and review of the record;
(2) Any copies produced to make the record available for access;
(3) Copies of the requested record if access can only be accomplished
by providing a copy through the mail; and
(4) Copies of three (3) or less pages of a requested record.
(b) Records will be photocopied for 10 cents per page for four pages
or more (except for paragraphs (a)(1), (2), (3), (4) of this section).
If the record is larger than 8\1/2\ x 14 inches, the fee will be the
cost of reproducing the record through Government or commerical sources.
(c) Fees shall be paid in full prior to issuance of requested copies.
Payment shall be by personal check or money order payable to the
Treasurer of the United States, and mailed or delivered to the Privacy
Act Officer, Office of Administration, Washington, DC 20503.
(d) The Privacy Act Officer may waive the fee if:
(1) The cost of collecting the fee exceeds the amount collected; or
(2) The production of the copies at no charge is in the best interest
of the government.
(e) A receipt will be furnished on request.
[45 FR 41121, June 18, 1980, as amended at 49 FR 28236, July 11, 1984]
Sec. 2504.18 Penalties.
(a) Title 18, U.S.C. section 1001, Crimes and Criminal Procedures,
makes it a criminal offense, subject to a maximum fine of $10,000 or
imprisonment for not more than five years, or both, to knowingly and
willfully make or cause to be made any false or fraudulent statements or
representation in any matter within the jurisdiction of any agency of
the United States. Section (i) (3) of the Privacy Act (5 U.S.C. 552a)
makes it a misdemeanor, subject to a maximum fine of $5,000 to knowingly
and willfully request or obtain any record concerning an individual
under false pretenses. Sections (i) (1) and (2) or 5 U.S.C. 552a provide
penalties for violations by agency employees of the Privacy Act or
regulations established thereunder.
![[White House]](/WH/images/home_icon2.gif)
![[OA]](oa_info.gif)
![[FOIA icon]](foia_info.gif)
![[Help Desk icon]](/WH/images/pin_info2.gif)