Regulations last checked for updates: Nov 24, 2024

Title 1 - General Provisions last revised: Jan 01, 1900
§ 304.20 - General provisions.

(a) Purpose and scope. This subpart contains the rules that the Administrative Conference of the United States (“ACUS” or “the agency”) follows under the Privacy Act of 1974 (“the Privacy Act”), 5 U.S.C. 552a,as,regarding,and,certain. These rules should be read together with and are governed by the Privacy Act itself, which provides additional information about records maintained on individuals. The rules in this subpart apply to all records in Privacy Act systems of records maintained by the agency, which are retrieved by an individual's name or personal identifier. They describe the procedures by which individuals may request access to records about themselves, request amendment or correction of those records, and request an accounting of disclosures of those records by the agency. In addition, the agency processes all Privacy Act requests for access to records under the Freedom of Information Act (“FOIA”), 5 U.S.C. 552, as amended, following the rules contained in subpart A of this part. Thus, all Privacy Act requests will be subject to exemptions for access to records only applicable under both FOIA and the Privacy Act.

(b) Definitions. As used in this subpart:

(1) “Request for access to a record” means a request made under Privacy Act, 5 U.S.C. 552a(d)(1).

(2) “Request for amendment or correction of a record” means a request made under Privacy Act, 5 U.S.C. 552a(d)(2).

(3) “Request for an accounting” means a request made under Privacy Act, 5 U.S.C. 552a(c)(3).

(4) “Requester” means an individual who makes a request for access, a request for amendment or correction, or a request for an accounting under the Privacy Act.

§ 304.21 - Requests for access to records.

(a) How made and addressed. You may make a request for access to a record about yourself by appearing in person or by sending an e-mail message addressed to [email protected]. You may also send a written request letter to the agency either by mail addressed to 1120 20th Street, NW., South Lobby, Suite 706, Washington, DC 20036, or by fax delivery to (202) 386-7190. For the quickest possible handling of a mail request, you should mark both your request letter and the envelope “Privacy Act Request.”

(b) Description of records sought. You must describe the records that you want in enough detail to enable agency personnel to locate the system of records containing them with a reasonable amount of effort. Whenever possible, your request should describe the records sought, the time periods in which you believe they were compiled, and the name or identifying number of each system of records in which you believe they are kept. The agency publishes a notice in the Federal Register that describes its systems of records.

(c) Agreement to pay fees. If you make a Privacy Act request for access to records, it will be considered an agreement by you to pay all applicable fees charged under § 304.27, up to $50.00. Duplication fees in excess of $50.00 are subject to the requirements of § 304.27 of this subpart and the notification requirements in § 304.9 of subpart A. The agency ordinarily will confirm this agreement in an acknowledgment letter. When making a request, you may specify a willingness to pay a greater or lesser amount.

(d) Verification of identity. When you make a request for access to records about yourself, you must verify your identity. You must state your full name, current address, and date and place of birth. You must sign your request and your signature must either be notarized or submitted by you under 28 U.S.C. 1746,a. In order to help the identification and location of requested records, you may also, entirely at your option, include the last four digits of your social security number.

§ 304.22 - Responsibility for responding to requests for access to records.

(a) In general. The agency will be responsible for responding to a request in all respects, except in the case of a referral to another agency as is described in paragraphs (b), (c), and (d) of this section. In determining which records are responsive to a request, the agency ordinarily will include only records in its possession and control as of the date upon which it begins its search for them. If any other date is used, the agency will inform the requester of that date.

(b) Consultations and referrals. When the agency receives a request for access to a record in its possession and control, it will determine whether another agency of the Federal Government, is better able to determine whether the record is exempt from access under the Privacy Act. If the agency determines that it is the agency best able to process the record in response to the request, then it will do so. If it determines that it is not best able to process the record, then it will either:

(1) Respond to the request regarding that record, after consulting with the agency that is best able to determine whether the record is exempt from access and with any other agency that has a substantial interest in it; or

(2) Refer the responsibility for responding to the request regarding that record to the agency that is best able to determine whether it is exempt from access, or to another agency that originated the record (but only if that agency is subject to the Privacy Act). Ordinarily, the agency that originated a record will be presumed to be best able to determine whether it is exempt from access.

(c) Notice of referral. When the agency refers all or any part of the responsibility for responding to a request to another agency, it ordinarily will notify the requester of the referral and inform the requester of the name of the agency to which the request has been referred and of the part of the request that has been referred.

(d) Timing of responses to consultations and referrals. All consultations and referrals will be handled according to the date upon which the Privacy Act access request was initially received by the first agency, not any later date.

(e) Agreements regarding consultations and referrals. The agency may make agreements with other agencies designed to eliminate the need for consultations or referrals for particular types of records.

§ 304.23 - Responses to requests for access to records.

(a) Acknowledgments of requests. On receipt of a request, the agency ordinarily will send an acknowledgment letter to the requester that will confirm the requester's agreement to pay fees under § 304.21(c) and provide an assigned request number for further reference. In some cases, the agency may seek further information or clarification from the requester.

(b) Grants of requests for access. Once the agency makes a determination to grant a request for access in whole or in part, it will notify the requester in writing. The agency will inform the requester in the notice of any fee charged under § 304.27 and will disclose records to the requester promptly on payment of any applicable fee. If a request is made in person, the agency may disclose records to the requester directly, in a manner not unreasonably disruptive of its operations, on payment of any applicable fee and with a written record made of the grant of the request. If a requester is accompanied by another person, the requester will be required to authorize in writing any discussion of the records in the presence of the other person.

(c) Adverse determinations of requests for access. Upon making an adverse determination denying a request for access in any respect, the agency will notify the requester of that determination in writing. Adverse determinations, or denials of requests consist of: a determination to withhold any requested record in whole or in part; a determination that a requested record does not exist or cannot be located; a determination that what has been requested is not a record subject to the Privacy Act; a determination on any disputed fee matter; and a denial of a request for expedited treatment. The notification letter will include:

(1) The name and title or position of the person responsible for the denial;

(2) A brief statement of the reason(s) for the denial, including any Privacy Act exemption(s) applied in denying the request; and

(3) A statement that the denial may be appealed under § 304.24(a) and a description of the requirements of § 304.24(a).

§ 304.24 - Appeals from denials of requests for access to records.

(a) Appeals. If you are dissatisfied with the response to your request, you may appeal an adverse determination denying your request, in any respect, to the Chairman of the agency. You must make your appeal in writing, by e-mail or letter, and it must be received by the agency within 60 days of the date of the denial of your request. Your appeal letter should provide reasons and supporting information as to why the initial determination was incorrect. The appeal should clearly identify the particular determination (including the assigned request number, if known) that you are appealing. For the quickest possible handling of a mail request, you should mark your appeal letter and the envelope “Privacy Act Appeal.” The Chairman of the agency or his or her designee will act on the appeal, except that an appeal ordinarily will not be acted on if the request becomes a matter of FOIA or Privacy Act litigation.

(b) Responses to appeals. The decision on your appeal will be made in writing. A decision affirming an adverse determination in whole or in part will include a brief statement of the reason(s) for the affirmance, including any exemption applied, and will inform you of the Privacy Act provisions for court review of the decision. If the adverse determination is reversed or modified on appeal in whole or in part, then you will be notified in a written decision and your request will be reprocessed in accordance with that appeal decision.

(c) When appeal is required. As a general rule, if you wish to seek review by a court of any adverse determination or denial of a request, you must first appeal it under this section.

§ 304.25 - Requests for amendment or correction of records.

(a) How made and addressed. Unless the record is not subject to amendment or correction as stated in paragraph (f) of this section, you may make a request for amendment or correction of an ACUS record about yourself by following same procedures as in § 304.21. Your request should identify each particular record in question, state the amendment or correction that you want, and state why you believe that the record is not accurate, relevant, timely, or complete. You may submit any documentation that you think would be helpful. If you believe that the same record is maintained in more than one system of records, you should state that.

(b) Agency responses. Within ten business days of receiving your request for amendment or correction of records, the agency will send you a written acknowledgment of its receipt of your request. The agency will promptly notify you whether your request is granted or denied. If the agency grants your request in whole or in part, it will describe the amendment or correction made and will advise you of your right to obtain a copy of the corrected or amended record, in disclosable form. If the agency denies your request in whole or in part, it will send you a letter that will state:

(1) The reason(s) for the denial; and

(2) The procedure for appeal of the denial under paragraph (c) of this section, including the name and business address of the official who will act on your appeal.

(c) Appeals. You may appeal a denial of a request for amendment or correction in the same manner as a denial of a request for access to records (see § 304.24(a)) and the same procedures will be followed. The agency will ordinarily act on the appeal within 30 business days of receipt of the appeal, except that the Chairman of the agency may extend the time for response for good cause shown. If your appeal is denied, you will be advised of your right to file a Statement of Disagreement as described in paragraph (d) of this section and of your right under the Privacy Act for court review of the decision.

(d) Statements of Disagreement. If your appeal under this section is denied in whole or in part, you have the right to file a Statement of Disagreement that states your reason(s) for disagreeing with the agency's denial of your request for amendment or correction. Statements of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. The agency will place your Statement of Disagreement in the system of records in which the disputed record is maintained and will mark the disputed record to indicate that a Statement of Disagreement has been filed and exactly where in the system of records it may be found.

(e) Notification of amendment/correction or disagreement. Within 30 business days of the amendment or correction of a record, the agency will notify all persons, organizations, or agencies to which it previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. If an individual has filed a Statement of Disagreement, the agency will append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request to amend or correct the record.

(f) Records not subject to amendment or correction. The following records are not subject to amendment or correction:

(1) Transcripts of testimony given under oath or written statements made under oath;

(2) Transcripts of grand jury proceedings, judicial proceedings, or quasi-judicial proceedings, which are the official record of those proceedings; and

(3) Any other record that originated with the courts.

§ 304.26 - Requests for an accounting of record disclosures.

(a) How made and addressed. Except where accountings of disclosures are not required to be kept (as stated in paragraph (b) of this section), you may make a request for an accounting of any disclosure that has been made by the agency to another person, organization, or agency of any record about you. This accounting contains the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. Your request for an accounting should identify each particular record in question and should be made in writing to the agency, following the procedures in § 304.21.

(b) Where accountings are not required. The agency is not required to provide accountings to you where they relate to:

(1) Disclosures for which accountings are not required to be kept (i.e., disclosures that are made to officers and employees of the agency and disclosures required under the FOIA); or

(2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from a duly authorized representative of any such law enforcement agency specifying portion of the record desired and the law enforcement activity for which the record is sought.

(c) Appeals. You may appeal a denial of a request for an accounting in the same manner as a denial of a request for access to records (see § 304.24(a)) and the same procedures will be followed.

§ 304.27 - Fees.

The agency will charge fees for duplication of records under the Privacy Act in the same way in which it charges duplication fees under § 304.9 of subpart A. No search or review fee may be charged for any record under the Privacy Act.

§ 304.28 - Notice of court-ordered and emergency disclosures.

(a) Court-ordered disclosures. When a record pertaining to an individual is required to be disclosed by a court order, the agency will make reasonable efforts to provide notice of such order to the individual. Notice will be given within a reasonable time after the agency's receipt of the order, except that in a case in which the order is not a matter of public record, the notice will be given only after the order becomes public. This notice will be mailed to the individual's last known address and will contain a copy of the order and a description of the information disclosed.

(b) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting health or safety, the agency will notify that individual of the disclosure. This notice will be mailed to the individual's last known address and will state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying the disclosure.

§ 304.29 - Security of systems of records.

(a) Administrative and physical controls. The agency will have administrative and physical controls to prevent unauthorized access to its systems of records, to prevent unauthorized disclosure of records, and to prevent physical damage to or destruction of records. The stringency of these controls corresponds to the sensitivity of the records that the controls protect. At a minimum, these controls are designed to ensure that:

(1) Records are protected from public view;

(2) The area in which records are kept is supervised during business hours in order to prevent unauthorized persons from having access to them;

(3) Records are inaccessible to unauthorized persons outside of business hours; and

(4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in oral, written or any other form.

(b) Restrictive procedures. The agency will implement practices and procedures that restrict access to records to only those individuals within the agency who must have access to those records in order to perform their duties and that prevent inadvertent disclosure of records.

§ 304.30 - Contracts for the operation of record systems.

Any approved contract for the operation of a record system will contain appropriate requirements issued by the General Services Administration in order to ensure compliance with the requirements of the Privacy Act for that record system. The contracting officer of the agency will be responsible for ensuring that the contractor complies with these contract requirements.

§ 304.31 - Use and collection of social security numbers and other information.

The agency will ensure that employees authorized to collect information are aware:

(a) That individuals may not be denied any right, benefit, or privilege as a result of refusing to provide their social security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975;

(b) That individuals requested to provide their social security numbers, or any other information collected from them, must be informed, before providing such information, of:

(1) Whether providing social security numbers (or such other information) is mandatory or voluntary;

(2) Any statutory or regulatory authority that authorizes the collection of social security numbers (or such other information);

(3) The principal purpose(s) for which the information is intended to be used;

(4) The routine uses that may be made of the information; and

(5) The effects, in any, on the individual of not providing all or any part of the requested information; and

(c) That, where the information referred to above is requested on a form, the requirements for informing such individuals are set forth on the form used to collect the information, or on a separate form that can be retained by such individuals.

§ 304.32 - Employee standards of conduct.

The agency will inform its employees of the provisions of the Privacy Act, including the scope of its restriction against disclosure of records maintained in a system of records without the prior written consent of the individual involved, and the Act's civil liability and criminal penalty provisions. Unless otherwise permitted by law, an employee of the agency will:

(a) Collect from individuals and maintain only the information that is relevant and necessary to discharge the agency's responsibilities;

(b) Collect information about an individual directly from that individual to the greatest extent practicable when the information may result in an adverse determination about an individual's rights, benefits, or privileges under Federal programs;

(c) Inform each individual from whom information is collected of the information set forth in § 304.31(b);

(d) Ensure that the agency maintains no system of records without public notice and also notify appropriate agency officials of the existence or development of any system of records that is not the subject of a current or planned public notice;

(e) Maintain all records that are used by it in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

(f) Except as to disclosures made to an agency or made under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete;

(g) Maintain no record describing how an individual exercises his or her First Amendment rights unless such maintenance is expressly authorized by statute or by the individual about whom the record is maintained or is pertinent to and within the scope of an authorized law enforcement activity;

(h) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by the agency to persons, organizations, or agencies;

(i) Maintain and use records with care in order to prevent the unauthorized or inadvertent disclosure of a record to anyone; and

(j) Notify the appropriate agency official of any record that contains information that the Privacy Act does not permit the agency to maintain.

§ 304.33 - Preservation of records.

The agency will preserve all correspondence pertaining to the requests that it receives under this subpart, as well as copies of all requested records, until disposition or destruction is authorized by title 44 of the United States Code or the National Archives and Records Administration's General Records Schedule 14. Records will not be disposed of while they are the subject of a pending request, appeal, or lawsuit under the Act.

§ 304.34 - Other rights and services.

Nothing in this subpart shall be construed to entitle any person, as of right, to any service or to the disclosure of any record to which such person is not entitled under the Privacy Act.

source: 76 FR 18635, Apr. 5, 2011, unless otherwise noted.
cite as: 1 CFR 304.28