Regulations last checked for updates: Nov 24, 2024

Title 15 - Commerce and Foreign Trade last revised: Oct 25, 2024
§ 2004.20 - Definitions.

For purposes of this subpart:

Access means making a record available to a subject individual.

Amendment means any correction, addition to or deletion of information in a record.

Individual means a natural person who either is a citizen of the United States or an alien lawfully admitted to the United States for permanent residence.

Maintain means to keep or hold and preserve in an existing state, and includes the terms collect, use, disseminate and control.

Privacy Act Office means the USTR officials who are authorized to respond to requests and to process requests for amendment of records USTR maintains under the Privacy Act.

Record means any item, collection or grouping of information about an individual that USTR maintains within a system of records and contains the individual's name or the identifying number, symbol or other identifying particular assigned to the individual, such as a finger or voice print or photograph.

System of records means a group of records USTR maintains or controls from which information is retrieved by the name of an individual or by some identifying number, symbol or other identifying particular assigned to the individual. USTR publishes notices in the Federal Register announcing the creation, deletion or amendment of its systems of records. You can find a description of our systems of records on the USTR Web site: www.ustr.gov.

§ 2004.21 - Purpose and scope.

(a) This subpart implements the Privacy Act, 5 U.S.C. 552a,a. It establishes USTR's rules for access to records in systems of records we maintain that are retrieved by an individual's name or another personal identifier. It describes the procedures by which individuals may request access to records, request amendment or correction of those records, and request an accounting of disclosures of those records by USTR. Whenever it is appropriate to do so, USTR automatically processes a Privacy Act request for access to records under both the Privacy Act and the FOIA, following the rules contained in this subpart and subpart B of part 2004. USTR processes a request under both the Privacy Act and the FOIA so you will receive the maximum amount of information available to you by law.

(b) This subpart does not entitle you to any service or to the disclosure of any record to which you are not entitled under the Privacy Act. It also does not, and may not be relied upon to create any substantive or procedural right or benefit enforceable against USTR.

§ 2004.22 - How do I make a Privacy Act request?

(a) In general. You can make a Privacy Act request on your own behalf for records or information about you. You also can make a request on behalf of another individual as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent. You may request access to another individual's record or information if you have that individual's written consent, unless other conditions of disclosure apply.

(b) How do I make a request?—(1) Where do I send my written request? To make a request for access to a record, you should write directly to our Privacy Act Office. Heightened security delays mail delivery. To avoid mail delivery delays, we strongly suggest that you email your request to [email protected]. Our mailing address is: Privacy Act Office, Office of the US Trade Representative, Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington, DC 20509. To make sure that the Privacy Act Office receives your request without delay, you should include the notation `Privacy Act Request' in the subject line of your email or on the front of your envelope and also at the beginning of your request.

(2) Security concerns. To protect our computer systems, we will not open attachments to emailed requests—you must include your request within the body of the email. We will not process email attachments.

(c) What should my request include? You must describe the record that you seek in enough detail to enable the Privacy Act Office to locate the system of records containing the record with a reasonable amount of effort. Include specific information about each record sought, such as the time period in which you believe it was compiled, the name or identifying number of each system of records in which you believe it is kept, and the date, title or name, author, recipient, or subject matter of the record. As a general rule, the more specific you are about the record that you seek, the more likely we will be able to locate it in response to your request.

(d) How do I request amendment or correction of a record? If you are requesting an amendment or correction of a USTR record, you must identify each particular record in question and the system of records in which the record is located, describe the amendment or correction that you seek, and state why you believe that the record is not accurate, relevant, timely or complete. You may submit any documentation that you think would be helpful, including an annotated copy of the record.

(e) How do I request an accounting of record disclosures? If you are requesting an accounting of disclosures made by USTR to another person, organization or Federal agency, you must identify each particular record in question. An accounting generally includes the date, nature and purpose of each disclosure, as well as the name and address of the person, organization, or Federal agency to which the disclosure was made.

(f) Verification of identity. When making a Privacy Act request, you must verify your identity in accordance with these procedures to protect your privacy or the privacy of the individual on whose behalf you are acting. If you make a Privacy Act request and you do not follow these identity verification procedures, USTR cannot process your request.

(1) How do I verify my own identity? You must state your full name, current address, and date and place of birth. In order to help identify and locate the records, you also may, at your option, include your Social Security number. To verify your own identity, you must provide an unsworn declaration under 28 U.S.C. 1746,a. To fulfill this requirement, you must include the following statement just before the signature on your request:

I declare under penalty of perjury that the foregoing is true and correct. Executed on [date].

(2) How do I verify parentage or guardianship? If you make a request as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent, for access records or information about that individual, you must establish:

(i) The identity of the individual who is the subject of the record, by stating the individual's name, current address and date and place of birth, and, at your option, the Social Security number of the individual;

(ii) Your own identity, as required in paragraph (f)(1) of this section;

(iii) That you are the parent or guardian of the individual, which you may prove by providing a copy of the individual's birth certificate showing your parentage or a court order establishing your guardianship; and

(iv) That you are acting on behalf of the individual in making the request.

§ 2004.23 - How will USTR respond to my Privacy Act request?

(a) When will we respond to your request? We will search to determine if the requested records exist in a system of records USTR owns or controls. The Privacy Act Office will respond to you in writing within twenty days after we receive your request, if it meets the requirements of this subpart. We may extend the response time in unusual circumstances, such as the need to consult with another agency about a record or to retrieve a record shipped offsite for storage.

(b) What will our response include? Our written response will include our determination whether to grant or deny your request in whole or in part, a brief explanation of the reasons for the determination, and the amount of the fee charged, if any, under § 2004.25. If you requested access to records, we will make the records, if any, available to you. If you requested amendment or correction of a record, the response will describe any amendments or corrections made and advise you of your right to obtain a copy of the amended or corrected record.

(c) Adverse determinations—(1) What is an adverse determination? An adverse determination is a response to a Privacy Act request that:

(i) Withholds any requested record in whole or in part;

(ii) Denies a request to amend or correct a record in whole or in part;

(iii) Declines to provide an accounting of disclosures;

(iv) Advises that a requested record does not exist or cannot be located;

(v) Finds that what you requested is not a record subject to the Privacy Act; or

(vi) Advises on any disputed fee matter.

(2) Responses that include an adverse determination. If the Privacy Act Office makes an adverse determination with respect to your request, our written response will identify the person responsible for the adverse determination, that the adverse determination is not a final agency action, and that you may appeal the adverse determination under § 2004.24.

§ 2004.24 - What can I do if I am dissatisfied with USTR's response to my Privacy Act request?

(a) What can I appeal? You can appeal any adverse determination in writing to our Privacy Act Appeals Committee within thirty calendar days after the date of our response. We provide a list of adverse determinations in § 2004.23(c).

(b) How do I make an appeal?—(1) What should I include? You may appeal by submitting a written statement giving the reasons why you believe the Committee should overturn the adverse determination. Your written appeal may include as much or as little related information as you wish to provide, as long as it clearly identifies the determination (including the request number, if known) that you are appealing.

(2) Where do I send my appeal? You should mark both your letter and the envelope, or the subject of your email, “Privacy Act Appeal”. To avoid mail delivery delays caused by heightened security, we strongly suggest that you email any appeal to [email protected]. Our mailing address is: Privacy Office, Office of the US Trade Representative, Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington, DC 20509.

(c) Who will decide your appeal? (1) The Privacy Act Appeals Committee or designee will act on all appeals under this section.

(2) We ordinarily will not adjudicate an appeal if the request becomes a matter of litigation.

(3) On receipt of any appeal involving classified information, the Privacy Act Appeals Committee must take appropriate action to ensure compliance with applicable classification rules.

(d) When will we respond to your appeal? The Privacy Act Appeals Committee will notify you of its appeal decision in writing within thirty days from the date it receives an appeal that meets the requirements of paragraph (b) of this section. We may extend the response time in unusual circumstances, such as the need to consult with another agency about a record or to retrieve a record shipped offsite for storage.

(e) What will our response include? The written response will include the Committee's determination whether to grant or deny your appeal in whole or in part, a brief explanation of the reasons for the determination, and information about the Privacy Act provisions for court review of the determination.

(1) Appeals concerning access to records. If your appeal concerns a request for access to records and the appeal is granted in whole or in part, we will make the records, if any, available to you.

(2) Appeals concerning amendments or corrections. If your appeal concerns amendment or correction of a record, the response will describe any amendment or correction made and advise you of your right to obtain a copy of the amended or corrected record. We will notify all persons, organizations or Federal agencies to which we previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. Whenever the record is subsequently disclosed, the record will be disclosed as amended or corrected. If our response denies your request for an amendment or correction to a record, we will advise you of your right to file a statement of disagreement under paragraph (f) of this section.

(f) Statements of disagreement—(1) What is a statement of disagreement? A statement of disagreement is a concise written statement in which you clearly identify each part of any record that you dispute and explain your reason(s) for disagreeing with our denial in whole or in part of your appeal requesting amendment or correction.

(2) How do I file a statement of disagreement? We must receive your statement of disagreement within thirty calendar days of our denial in whole or in part of your appeal concerning amendment or correction of a record.

(3) What will we do with your statement of disagreement? We will place your statement of disagreement in the system(s) of records in which the disputed record is maintained. We also may append a concise statement of our reason(s) for denying the request to amend or correct the record. Whenever the record is subsequently disclosed, the record will be disclosed along with your statement of disagreement and our explanation, if any.

(g) When appeal is required. Before seeking review by a court of an adverse determination or denial of a request, you generally first must submit a timely administrative appeal under this section.

§ 2004.25 - What does it cost to get records under the Privacy Act?

(a) Your request is an agreement to pay fees. We consider your Privacy Act request as your agreement to pay all applicable fees unless you specify a limit on the amount of fees you agree to pay. We will not exceed the specified limit without your written agreement.

(b) How do we calculate fees? We will charge a fee for duplication of a record under the Privacy Act in the same way we charge for duplication of records under the FOIA in § 2004.9. There are no fees to search for or review records requested under the Privacy Act.

§ 2004.26 - Are there any exemptions from the Privacy Act?

(a) What is a Privacy Act exemption? The Privacy Act authorizes USTR to exempt records or information in a system of records from some of the Privacy Act requirements, if we determine that the exemption is necessary. With the exception of certain law enforcement records, we will not provide you with an accounting of disclosures or make available to you records that are exempt.

(b) How do I know if the records or information I want are exempt? Each USTR system of records notice will advise you if we have determined that records or information in records are exempt from Privacy Act requirements. If we have claimed an exemption for a system of records, the system of records notice will identify the exemption and the provisions of the Privacy Act from which the system is exempt.

§ 2004.27 - How are records secured?

(a) Controls. USTR must establish administrative and physical controls to prevent unauthorized access to its systems of records, unauthorized or inadvertent disclosure of records, and physical damage to or destruction of records. The stringency of these controls corresponds to the sensitivity of the records that the controls protect. At a minimum, the administrative and physical controls must ensure that:

(1) Records are protected from public view;

(2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them;

(3) Records are inaccessible to unauthorized persons outside of business hours; and

(4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form.

(b) Limited access. Access to records is restricted only to individuals who require access in order to perform their official duties.

§ 2004.28 - Use and collection of Social Security numbers.

We will collect Social Security numbers only when it is necessary and we are authorized to do so. At least annually, the Privacy Act Office will inform employees who are authorized to collect information that:

(a) Individuals may not be denied any right, benefit or privilege as a result of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and

(b) They must inform individuals who are asked to provide their Social Security numbers:

(1) If providing a Social Security number is mandatory or voluntary;

(2) If any statutory or regulatory authority authorizes collection of a Social Security number; and

(3) The uses that will be made of the Social Security number.

§ 2004.29 - Employee responsibilities under the Privacy Act.

At least annually, the Privacy Act Office will inform employees about the provisions of the Privacy Act, including the Act's civil liability and criminal penalty provisions. Unless otherwise permitted by law, a USTR employee must:

(a) Collect from individuals only information that is relevant and necessary to discharge USTR's responsibilities.

(b) Collect information about an individual directly from that individual whenever practicable.

(c) Inform each individual from whom information is collected of:

(1) The legal authority to collect the information and whether providing it is mandatory or voluntary;

(2) The principal purpose for which USTR intends to use the information;

(3) The routine uses, i.e., disclosures of records and information contained in a system of records without the consent of the subject of the record, USTR may make; and

(4) The effects on the individual, if any, of not providing the information.

(d) Ensure that the employee's office does not maintain a system of records without public notice and notify appropriate officials of the existence or development of any system of records that is not the subject of a current or planned public notice.

(e) Maintain all records that are used in making any determination about an individual with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual in the determination.

(f) Except for disclosures made to an agency or under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely and complete.

(g) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by USTR to persons, organizations or agencies.

(h) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone.

(i) Notify the appropriate official of any record that contains information that the Privacy Act does not permit USTR to maintain.

authority: 19 U.S.C. 2171(e)(3)
source: 81 FR 89846, Dec. 13, 2016, unless otherwise noted.
cite as: 15 CFR 2004.23