Regulations last checked for updates: Nov 26, 2024
Title 12 - Banks and Banking last revised: Nov 20, 2024
§ 792.52 - Scope.
This subpart governs requests made of NCUA under the Privacy Act (5 U.S.C. 552a). The regulation applies to all records maintained by NCUA which contain personal information about an individual and some means of identifying the individual, and which are contained in a system of records from which information may be retrieved by use of an identifying particular; sets forth procedures whereby individuals may seek and gain access to records concerning themselves and request amendments of those records; and sets forth requirements applicable to NCUA employees' maintaining, collecting, using, or disseminating such records.
§ 792.53 - Definitions.
For purposes of this subpart:
(a) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence.
(b) Maintain includes maintain, collect, use, or disseminate.
(c) Record means any item, collection, or grouping of information about an individual that is maintained by NCUA, and that contains the name, or an identifying number, symbol, or other identifying particular assigned to the individual.
(d) System of records means a group of any records under NCUA's control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
(e) Routine use means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.
(f) Statistical record means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by section 8 of title 13 of the United States Code.
(g) Notice of Systems of Records means the annual notice published by NCUA in the Federal Register informing the public of the existence and character of the systems of records it maintains. The Notice of Systems of Records also is available on NCUA's Web site at http://www.ncua.gov.
(h) System manager means the NCUA official responsible for the maintenance, collection, use or distribution of information contained in a system of records. The system manager for each system of records is provided in the Federal Register publication of NCUA's annual systems of records notice.
(i) Working day means Monday through Friday excluding legal public holidays.
[54 FR 18476, May 1, 1989, as amended at 73 FR 56938, Oct. 1, 2008]
§ 792.54 - Procedures for requests pertaining to individual records in a system of records.
(a) Individuals desiring to know if a system of records contains records pertaining to them, and individuals requesting access to records in a system of records pertaining to them should submit a written request to the appropriate system manager as identified in the Notice of Systems of Records. An individual who does not have access to the Federal Register and who is unable to determine the appropriate system manager to whom to submit a request may submit a request to the Privacy Officer, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428, in which case the request will be referred to the appropriate system manager.
(b) Individuals requesting notification of, or access to, records should include the words “PRIVACY ACT REQUEST” on both the letter and, as appropriate, the envelope, cover document or subject line; describe the record sought; the approximate dates covered by the record; and, the systems of record in which records are thought to be included. Individuals must also meet the identification requirements in § 792.55.
[73 FR 56938, Oct. 1, 2008]
§ 792.55 - Times, places, and requirements for identification of individuals making requests and identification of records requested.
(a) The following standards are applicable to an individual submitting requests either in person or by mail under § 792.54:
(1) Individuals appearing in person, if not personally known to the system manager responding to the request, must present a single document bearing a photograph (such as a passport or identification badge) or two items of identification which do not bear a photograph but do bear both a name and address (such as a driver's license or voter registration card);
(2) Individuals submitting requests by mail or written electronic form, such as facsimile or e-mail, may establish identity by a signature, address, date of birth, employee identification number if any, and one other identifier such as a photocopy of driver's license or other document. If inadequate identifying information is provided, the system manager responding to the request may require further identifying information before any notification or responsive disclosure.
(3) Individuals appearing in person or submitting requests by mail or written electronic form, who cannot provide the required documentation or identification, may provide an unsworn declaration subscribed to as true under penalty of perjury.
(b) The parent or guardian of a minor or a person judicially determined to be incompetent shall, in addition to establishing identity of the minor or other person as required in paragraph (a) of this section, furnish a copy of a birth certificate showing parentage or a court order establishing guardianship.
(c) A record may be disclosed to a representative of an individual to whom the record pertains provided the system manager receives written authorization from the individual who is the subject of the record.
(d) An individual seeking to review records about that individual may be accompanied by another person of their own choosing. In such cases, the individual seeking access shall be required to furnish a written statement authorizing discussion of that individual's records in the accompanying person's presence.
(e) In addition to the requirements set forth in paragraphs (a), (b) and (c) of this section, the published “Notice of System of Records” for individual systems may include further requirements of identification where necessary to retrieve the individual records from the system.
[54 FR 18476, May 1, 1989. Redesignated at 63 FR 14338, Mar. 25, 1998, as amended at 64 FR 57365, Oct. 25, 1999; 65 FR 63790, Oct. 25, 2000; 73 FR 56939, Oct. 1, 2008]
§ 792.56 - Notice of existence of records, access decisions and disclosure of requested information; time limits.
(a) The system manager identified in the record access procedure section of the “Notice of Systems of Records” and identified in accordance with § 792.54(a), by an individual seeking notification of, or access to, a record, shall be responsible:
(1) For determining whether access is available under the Privacy Act; (2) for notifying the requesting individual of that determination; and (3) for providing access to information determined to be available. In the case of an individual access request made in person, information determined to be available shall be provided by allowing a personal review of the record or portion of a record containing the information requested and determined to be available, and the individual shall be allowed to have a copy of all or any portion of available information made in a form comprehensible to him. In the case of an individual access request made by mail, information determined to be available shall be provided by mail, unless the individual has requested otherwise.
(b) The following time limits shall be applicable to the required determinations, notification and provisions of access set forth in paragraph (a) of this section:
(1) A request concerning a single system of records which does not require consultation with or requisition of records from another agency will be responded to within 20 working days after receipt of the request.
(2) A request requiring requisition of records from or consultation with another agency will be responded to within 30 working days of receipt of the request.
(3) If a request under paragraphs (b)(1) or (2) of this section presents unusual difficulties in determining whether the records involved are exempt from disclosure, the Privacy Act Officer, in the Office of General Counsel, may extend the time period established by the regulations by 10 working days.
(c) Nothing in this section shall be construed to allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding, or any information exempted from the access provisions of the Privacy Act.
[54 FR 18476, May 1, 1989, as amended at 59 FR 36042, July 15, 1994; 64 FR 57365, Oct. 25, 1999; 65 FR 63790, Oct. 25, 2000]
§ 792.57 - Special procedures: Information furnished by other agencies; medical records.
(a) When a request for records or information from NCUA includes information furnished by other Federal agencies, the system manager responsible for action on the request shall consult with the appropriate agency prior to making a decision to disclose or refuse access to the record, but the decision whether to disclose the record shall be made in the first instance by the system manager.
(b) Medical records may be disclosed on request to the individuals to whom they pertain unless disclosing the medical information directly to the requesting individual could have an adverse effect on the individual. Where medical information is potentially adverse to the requesting individual, the system manager responsible may advise the requesting individual that the medical records will be transmitted only to a physician designated in writing by the individual.
[54 FR 18476, May 1, 1989. Redesignated at 63 FR 14338, Mar. 25, 1998, as amended at 65 FR 63790, Oct. 25, 2000; 73 FR 56939, Oct. 1, 2008]
§ 792.58 - Requests for correction or amendment to a record; administrative review of requests.
(a) An individual may request amendment of a record concerning that individual by submitting a written request, either in person or by mail, to the system manager identified in the Notice of Systems of Records. The words “PRIVACY ACT—REQUEST TO AMEND RECORD” should be written on the letter and the envelope. The request must describe the system of records containing the record sought to be amended, indicate the particular record involved, the nature of the correction sought, and the justification for the correction or amendment. An individual who does not have access to NCUA's Notice of Systems of Records, and to whom the appropriate address is otherwise unavailable, may submit a request to the Privacy Act Officer, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428, in which case the request will then be referred to the appropriate system manager. The date of receipt of the request will be determined as of the date of receipt by the system manager.
(b) Within 10 working days of receipt of the request, the appropriate system manager shall advise the individual that the request has been received. The appropriate system manager will promptly (under normal circumstances, not later than 30 working days after receipt of the request) advise the individual that the record will be amended or corrected, or inform the individual of rejection of the request to amend the record, the reason for the rejection, and the procedures established by § 792.59 for the individual to request a review of that rejection.
[54 FR 18476, May 1, 1989, as amended at 59 FR 36041, 36042, July 15, 1994; 65 FR 63790, Oct. 25, 2000; 73 FR 56939, Oct. 1, 2008]
§ 792.59 - Appeal of initial determination.
(a) A rejection, in whole or in part, of a request to amend or correct a record may be appealed to the General Counsel within 30 working days of receipt of notice of the rejection. Appeals shall be in writing, and shall set forth the specific item of information sought to be corrected and the documentation justifying the correction. Appeals must be addressed to the Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428 with the words “PRIVACY ACT—APPEAL” written on the letter and the envelope. Appeals shall be decided within 30 working days of receipt unless the General Counsel, for good cause, extends such period for an additional 30 working days.
(b) Within the time limits set forth in paragraph (a) of this section, the General Counsel shall either advise the individual of a decision to amend or correct the record, or advise the individual of a determination that an amendment or correction is not warranted on the facts, in which case the individual shall be advised of the right to provide for the record a “Statement of Disagreement” and of the right to further appeal pursuant to the Privacy Act. For records under the jurisdiction of the Office of Personnel Management, appeals will be made pursuant to that agency's regulations.
(c) If an appeal under this section is denied in whole or in part, an individual may file a statement of disagreement concisely stating the reason(s) for disagreeing with the denial for amendment or correction, and clearly identifying each part of any record that is disputed. The statement must be sent within 30 working days of the date of receipt of the notice of General Counsel's refusal to authorize amendment or correction, to the General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428. Upon receipt of a statement of disagreement in accordance with this section, the General Counsel shall take steps to ensure that the statement is included in the system of records containing the disputed item and that the original item is so marked to indicate that there is a statement of dispute and where, within the system of records, that statement may be found.
(d) When a record has been amended or corrected or a statement of disagreement has been furnished, the system manger for the system of records containing the record shall, within 30 days thereof, advise all prior recipients of information to which the amendment or statement of disagreement relates whose identity can be determined by an accounting made as required by the Privacy Act of 1974 or any other accounting previously made, of the amendment or statement of disagreement. When a statement of disagreement has been furnished, the system manager shall also provide any subsequent recipient of a disclosure containing information to which the statement relates with a copy of the statement and note the disputed portion of the information disclosed. A concise statement of the reasons for not making the requested amendment may also be provided if deemed appropriate.
(e) If access is denied because of an exemption, the individual will be notified of the right to appeal that determination to the General Counsel within 30 days after receipt. Appeals will be determined within 20 working days.
[54 FR 18476, May 1, 1989, as amended at 59 FR 36041, July 15, 1994; 65 FR 63790, Oct. 25, 2000; 73 FR 56939, Oct. 1, 2008]
§ 792.60 - Disclosure of record to person other than the individual to whom it pertains.
No record or item of information concerning an individual which is contained in a system of records maintained by NCUA shall be disclosed by any means of communication to any person, or to another agency, without the prior written consent of the individual to whom the record or item of information pertains, unless the disclosure would be—
(a) To an employee of the NCUA who has need for the record in the performance of duty;
(b) Required by the Freedom of Information Act;
(c) For a routine use as described in the “Notice of Systems of Records,” published in the Federal Register, which describes the system of records in which the record or item of information is contained;
(d) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13 of the United States Code;
(e) To a recipient who has provided the NCUA with advance adequate written assurance that the record or item will be used soley as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;
(f) To the National Archives and Records Administration as a record or item which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;
(g) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to NCUA specifying the particular portion desired and the law enforcement activity for which the record or item is sought;
(h) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is transmitted to the last known address of such individual;
(i) To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;
(j) To the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the Government Accountability Office;
(k) Pursuant to the order of a court of competent jurisdiction; or
(l) To a consumer reporting agency in accordance with section 3711(f) of title 31 of the United States Code (31 U.S.C. 3711(f)).
[54 FR 18476, May 1, 1989, as amended at 73 FR 56939, Oct. 1, 2008]
§ 792.61 - Accounting for disclosures.
(a) Each system manager identified in the “Notice of Systems of Records” must establish a system of accounting for all disclosures of information or records under the Privacy Act made outside NCUA. Accounting procedures may be established in the least expensive and most convenient form that will permit the system manager to advise individuals, promptly upon request, of the persons or agencies to which records concerning them have been disclosed.
(b) Accounting records, at a minimum, shall include the information disclosed, the name and address of the person or agency to whom disclosure was made, and the date of disclosure. When records are transferred to the National Archives and Records Administration for storage in records centers, the accounting pertaining to those records shall be transferred with the records themselves.
(c) Any accounting made under this section shall be retained for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made.
[54 FR 18476, May 1, 1989, as amended at 73 FR 56939, Oct. 1, 2008]
§ 792.62 - Requests for accounting for disclosures.
At the time of the request for access or correction or at any other time, an individual may request an accounting of disclosures made of the individual's record outside the NCUA. Request for accounting shall be directed to the system manager. Any available accounting, whether kept in accordance with the requirements of the Privacy Act or under procedures established prior to September 27, 1975, shall be made available to the individual, except that an accounting need not be made available if it relates to:
(a) A disclosure made pursuant to the Freedom of Information Act (5 U.S.C. 552);
(b) A disclosure made within the NCUA;
(c) A disclosure made to a law enforcement agency pursuant to 5 U.S.C. 552a(b)(7);
(d) A disclosure which has been exempted from the provisions of 5 U.S.C. 552a(c)(3) pursuant to 5 U.S.C. 552a (j) or (k).
§ 792.63 - Collection of information from individuals; information forms.
(a) The system manager for each system of records is responsible for reviewing all forms developed and used to collect information from or about individuals for incorporation into the system of records.
(b) The purpose of the review shall be to eliminate any requirement for information that is not relevant and necessary to carry out an NCUA function and to accomplish the following objectives:
(1) To ensure that no information concerning religion, political beliefs or activities, association memberships (other than those required for a professional license), or the exercise of other First Amendment rights is required to be disclosed unless such requirement of disclosure is expressly authorized by statute or by the individual about whom the record is maintained, or unless pertinent to and within the scope of any authorized law enforcement activity;
(2) To ensure that the form or accompanying statement makes clear to the individual which information by law must be disclosed and the authority for that requirement, and which information is voluntary;
(3) To ensure that the form or accompanying statement makes clear the principal purpose or purposes for which the information is being collected, and states concisely the routine uses that will be made of the information;
(4) To ensure that the form or accompanying statement clearly indicates to the individual the effects on him or her, if any, of refusing to provide some or all of the requested information; and
(5) To ensure that any form requesting disclosure of a social security number, or an accompanying statement, clearly advises the individual of the statute or regulation requiring disclosure of the number, or clearly advises the individual that disclosure is voluntary and that no consequence will flow from a refusal to disclose it, and the uses that will be made of the number whether disclosed mandatorily or voluntarily.
(c) Any form which does not meet the objectives specified in the Privacy Act and this section shall be revised to conform thereto.
[54 FR 18476, May 1, 1989, as amended at 73 FR 56939, Oct. 1, 2008]
§ 792.64 - Contracting for the operation of a system of records.
(a) No NCUA component shall contract for the operation of a system of records by or on behalf of the Agency without the express approval of the NCUA Board.
(b) Any contract which is approved shall continue to ensure compliance with the requirements of the Privacy Act. The contracting component shall have the responsibility for ensuring that the contractor complies with the contract requirements relating to the Privacy Act.
§ 792.65 - Fees.
(a) Fees pursuant to 5 U.S.C. 552a(f)(5) shall be assessed for actual copies of records provided to individuals on the following basis, unless the system manager determining access waives the fee because of the inability of the individual to pay or the cost of collecting the fee exceeds the fee:
(1) For copies of documents provided, copy fees as stated in NCUA's current FOIA fee schedule; and
(2) For copying information, if any, maintained in nondocument form, the direct cost to NCUA may be assessed.
(b) If it is determined that access fees chargeable under this section will amount to more than $25, and the individual has not indicated in advance willingness to pay fees as high as are anticipated, the individual shall be notified of the amount of the anticipated fees before copies are made, and the individual's access request shall not be considered to have been received until receipt by NCUA of written agreement to pay.
[54 FR 18476, May 1, 1989. Redesignated at 63 FR 14338, Mar. 25, 1998, as amended at 65 FR 63790, Oct. 25, 2000]
§ 792.66 - Exemptions.
(a) NCUA maintains several systems of records that are exempted from some provisions of the Privacy Act. The system number and name, description of records contained in the system, exempted provisions and reasons for exemption are as follows:
(b)(1) System NCUA-1, entitled “Employee Suitability Security Investigations Containing Adverse Information,” consists of adverse information about NCUA employees that had been obtained as a result of routine U.S. Office of Personnel Management (OPM) security investigations. To the extent that NCUA maintains records in this system pursuant to OPM guidelines that may require retrieval of information by use of individual identifiers, those records are encompassed by and included in the OPM Central system of records number Central-9 entitled, “Personnel Investigations Records,” and thus are subject to the exemptions promulgated by OPM. Additionally, in order to ensure the protection of properly confidential sources, particularly as to those records which are not maintained pursuant to such Office of Personnel Management requirements, the records in these systems of records are exempted, pursuant to section k(5) of the Privacy Act (5 U.S.C. 552a(k)(5)), from section (d) of the Act (5 U.S.C. 552a(d)). To the extent that disclosure of a record would reveal the identity of a confidential source, NCUA need not grant access to that record by its subject. Information which would reveal a confidential source shall, however, whenever possible, be extracted or summarized in a manner which protects the source and the summary or extract shall be provided to the requesting individual.
(2) System NCUA-8, entitled, “Investigative Reports Involving Any Crime or Suspicious Activity Against a Credit Union, NCUA,” consists of investigatory or enforcement records about individuals suspected of involvement in violations of laws or regulations, whether criminal or administrative. These records are maintained in an overall context of general investigative information concerning crimes against credit unions. To the extent that individually identifiable information is maintained for purposes of protecting the security of any investigations by appropriate law enforcement authorities and promoting the successful prosecution of all actual criminal activity, the records in this system are exempted, pursuant to section k(2) of the Privacy Act (5 U.S.C. 552a (k)(2)), from sections (c)(3), (d), (e)(1), (e)(2), (e)(4)(G), (e)(4)(H), (f), and (g). The records in this system are also exempted pursuant to section (j)(2) of the Privacy Act, 5 U.S.C. 552a(j)(2), from sections (c)(3), (d), (e)(1), (e)(2), (e)(4)(G), (e)(4)(H), (f), and (g). Where possible, information that would identify a confidential source will be extracted or summarized in a manner that protects the source and the summary or extract will be provided to the requesting individual.
(3) System NCUA-20, entitled, “Office of Inspector General (OIG) Investigative Records,” consists of OIG records of closed and pending investigations of individuals alleged to have been involved in criminal violations. The records in this system are exempted pursuant to sections (k)(2) of the Privacy Act, 5 U.S.C. 552a(k)(2), from sections (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f). The records in this system are also exempted pursuant to section (j)(2) of the Privacy Act, 5 U.S.C. 552a(j)(2), from sections (c)(3), (c)(4), (d), (e)(1), (e)(2), (e)(3), and (g). NCUA need not make an accounting of previous disclosures of a record in this system of records available to its subject, and NCUA need not grant access to any records in this system of records by their subject. Further, whenever individuals request records about themselves and maintained in this system of records, the NCUA will advise the individuals only that no records available to them pursuant to the Privacy Act of 1974 have been identified. However, if review of the record reveals that the information contained therein has been used or is being used to deny the individuals any right, privilege or benefit for which they are eligible or to which they would otherwise be entitled under federal law, the individuals will be advised of the existence of the information and will be provided the information, except to the extent disclosure would identify a confidential source. Where possible, information which would identify a confidential source will be extracted or summarized in a manner which protects the source and the summary or extract will be provided to the requesting individual.
(4) System NCUA-13, entitled, “Litigation Case Files,” consists of investigatory materials compiled for law enforcement purposes. Records in the Litigation Case Files system are used in connection with the execution of NCUA's legal and enforcement responsibilities. Because the system covers investigatory materials compiled for law enforcement purposes, it is eligible for exemption under subsection (k)(2) of the Privacy Act. 5 U.S.C. 552a(k)(2). The Litigation Case Files system is exempt from subsections (c)(3), (d), (e)(1), (e)(4)(G), (H), (I) and (f) of the Privacy Act. 5 U.S.C. 552a (c)(3), (d), (e)(1), (e)(4)(G), (H), (I) and (f). However, if an individual is denied any right, privilege, or benefit to which he would otherwise be entitled by federal law, or for which he otherwise would be eligible, as a result of the maintenance of such records, the records or information will be made available to him, provided the identity of a confidential source is not disclosed. NCUA need not make an accounting of previous disclosures of a record in this system of records available to its subject, and NCUA need not grant access to any records in this system of records by their subject. Further, whenever individuals request records about themselves and maintained in this system of records, the NCUA will advise the individuals only that no records available to them pursuant to the Privacy Act of 1974 have been identified. However, if review of the record reveals that the information contained therein has been used or is being used to deny the individuals any right, privilege or benefit for which they are eligible or to which they would otherwise be entitled under federal law, the individuals will be advised of the existence of the information and will be provided the information, except to the extent disclosure would identify a confidential source. Where possible, information that would identify a confidential source will be extracted or summarized in a manner which protects the source and the summary or extract will be provided to the requesting individual.
(c) For purposes of this section, a “confidential source” means a source who furnished information to the Government under an express promise that the identity of the source would remain confidential, or, prior to September 27, 1976, under an implied promise that the identity of the source would be held in confidence.
[54 FR 18476, May 1, 1989, as amended at 60 FR 31912, June 19, 1995; 64 FR 57365, Oct. 25, 1999; 65 FR 63790, Oct. 25, 2000; 73 FR 56940, Oct. 1, 2008; 75 FR 34623, June 18, 2010]
§ 792.67 - Security of systems of records.
(a) Each system manager, with the approval of the head of that Office, shall establish administrative and physical controls to insure the protection of a system of records from unauthorized access or disclosure and from physical damage or destruction. The controls instituted shall be proportional to the degree of sensitivity of the records, but at a minimum must insure: that records are enclosed in a manner to protect them from public view; that the area in which the records are stored is supervised during all business hours to prevent unauthorized personnel from entering the area or obtaining access to the records; and that the records are inaccessible during nonbusiness hours.
(b) Each system manager, with the approval of the head of that Office, shall adopt access restriction to insure that only those individuals within the agency who have a need to have access to the records for the performance of duty have access. Procedures shall also be adopted to prevent accidental access to or dissemination of records.
§ 792.68 - Use and collection of Social Security numbers.
The head of each NCUA Office shall take such measures as are necessary to ensure that employees authorized to collect information from individuals are advised that individuals may not be required without statutory or regulatory authorization to furnish Social Security numbers, and that individuals who are requested to provide Social Security numbers voluntarily must be advised that furnishing the number is not required and that no penalty or denial of benefits will flow from the refusal to provide it.
§ 792.69 - Training and employee standards of conduct with regard to privacy.
(a) The Director of the Office of Human Resources, with advice from the Senior Privacy Act Officer, is responsible for training NCUA employees in the obligations imposed by the Privacy Act and this subpart.
(b) The head of each NCUA Office shall be responsible for assuring that employees subject to that person's supervision are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, and that such employees are made aware of their responsibilities to protect the security of personal information, to assure its accuracy, relevance, timeliness, and completeness, to avoid unauthorized disclosure either orally or in writing, and to insure that no information system concerning individuals, no matter how small or specialized, is maintained without public notice.
(c) With respect to each system of records maintained by NCUA, Agency employees shall:
(1) Collect no information of a personal nature from individuals unless authorized to collect it to achieve a function or carry out an NCUA responsibility;
(2) Collect from individuals only that information which is necessary to NCUA functions or responsibilities;
(3) Collect information, wherever possible, directly from the individual to whom it relates;
(4) Inform individuals from whom information is collected of the authority for collection, the purposes thereof, the routine uses that will be made of the information, and the effects, both legal and practical of not furnishing the information;
(5) Not collect, maintain, use, or disseminate information concerning an individual's religious or political beliefs or activities or his membership in associations or organizations, unless:
(i) The individual has volunteered such information for his own benefit;
(ii) The information is expressly authorized by statute to be collected, maintained, used, or disseminated; or
(iii) Activities involved are pertinent to and within the scope of an authorized investigation or adjudication.
(6) Advise their supervisors of the existence or contemplated development of any record system which retrieves information about individuals by individual identifier.
(7) Maintain an accounting, in the prescribed form, of all dissemination of personal information outside NCUA, whether made orally or in writing;
(8) Disseminate no information concerning individuals outside NCUA except when authorized by 5 U.S.C. 552a or pursuant to a routine use as set forth in the “routine use” section of the “Notice of Systems of Records” published in the Federal Register.
(9) Maintain and process information concerning individuals with care in order to ensure that no inadvertent disclosure of the information is made either within or outside NCUA; and
(10) Call to the attention of the proper NCUA authorities any information in a system maintained by NCUA which is not authorized to be maintained under the provisions of the Privacy Act, including information on First Amendment activities, information that is inaccurate, irrelevant or so incomplete as to risk unfairness to the individuals concerned.
(c) Heads of offices within NCUA shall, at least annually, review the record systems subject to their supervision to ensure compliance with the provisions of the Privacy Act.
[54 FR 18476, May 1, 1989, as amended at 59 FR 36042, July 15, 1994; 65 FR 63790, Oct. 25, 2000; 67 FR 30774, May 8, 2002; 73 FR 56940, Oct. 1, 2008]
authority: 5 U.S.C. 301,
552,
552a,
552b;
12 U.S.C. 1752a(d), 1766, 1789, 1795f; E.O. 12600, 52 FR 23781, 3 CFR, 1987 Comp., p.235; E.O. 13526, 75 FR 707, 2009 Comp. p.298
source: 54 FR 18476, May 1, 1989, unless otherwise noted.
cite as: 12 CFR 792.52