(a) Upon written request by any individual outside of GAO or upon written or oral request by any officer or employee of GAO to gain access to his or her record or to any information pertaining to the individual which is contained in a system of personnel records, and not otherwise exempted, GAO shall permit the individual and upon the individual's request a person of his or her own choosing to accompany them, to review the record and have a copy made of all or any portion thereof in a form comprehensible to them, except that GAO may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence. When access to the records has been granted by a system manager or designee:
(1) Inspection in person may be made in the office designated in the system notice during the hours specified by GAO.
(2) Upon the determination of the designated GAO official, records may be transferred to a GAO office more convenient to the data subject to review.
(3) Generally, GAO will not furnish certified copies of records. Where certified copies of records are to be furnished, they may be mailed at the request of the data subject or, as determined by GAO, only after payment of any fee levied in accordance with § 83.17 is received.
(4) In no event shall original records be made available for review by the individual except in the presence of a system manager or designee.
(b) The general identifying information items that the designated GAO official may ask to be furnished before a specific inquiry is granted include:
(1) Full name, signature, and home address;
(2) Picture identification card;
(3) The current or last place and dates of Federal employment, if appropriate; and
(4) Social security number (for those systems of records retrieved by this identifier).
(c) A request or inquiry from someone other than the individual to whom the information pertains shall contain such documents or copies of documents that establish the relationship or authorize access as follows:
(1) When the requester is the parent or legal guardian of a data subject who is a minor, the requester shall identify the relationship with the data subject and furnish a certified or authenticated (e.g. notarized) copy of any document establishing parentage or appointment as legal guardian.
(2) Where the requester is the legal guardian of a data subject who has been declared incompetent by the courts, the requester shall identify the relationship with the data subject and furnish a certified or authenticated copy of the court's appointment of guardianship.
(3) Where the requester is a representative of the data subject, the requester shall identify the relationship with the data subject or the data subject's parent or legal guardian, and furnish documentation designating the representative as having the authority to act on behalf of the data subject.
(d) When the requester appears in person and cannot be identified by sight and signature, proof of identity is required as follows:
(1) When a request is from the data subject, the means of proof, in order of preference, are:
(i) A document bearing the individual's photograph and signature (for example, driver's license, passport, or military or civilian identification card); or
(ii) Two documents bearing the individual's signature (for example, Medicare card, unemployment insurance book, employer identification card, major credit card, professional, draft, or union membership card).
(2) When a request is made by the parent, legal guardian, or authorized representative of the data subject, the means of identifying the requester and his or her authority for acting on behalf of the data subject shall be as prescribed in paragraph (c) of this section. In addition, the requester shall establish the identity of the data subject by requiring the identifying information in paragraph (b) of this section.
(e) When a written inquiry or request is received from the data subject, or from the data subject's parent, legal guardian, or authorized representative, it should be signed and—
(1) For an inquiry, contain sufficient identifying information about the data subject to permit searching of the record system(s) and to permit response; and
(2) For an access request—
(i) From the data subject, contain sufficient information to locate the record and establish that the requester and the data subject are the same (e.g. matching signatures); or
(ii) From the data subject's parent, legal guardian, or authorized representative, contain sufficient information to locate the record, match identity with the data subject, and such documentation of association or authorization as is prescribed in paragraphs (c) and (d) of this section.
(f) The signed request from the data subject, or from the data subject's parent, legal guardian, or authorized representative specified in paragraph (c) of this section shall be sufficient proof of identity of the requester, unless for good cause, the system manager or designee determines that there is a need to require some notarized or certified evidence of the identity of the requester.
[50 FR 13162, Apr. 3, 1985, as amended at 89 FR 51399, June 18, 2024]