Regulations last checked for updates: Nov 22, 2024
Title 32 - National Defense last revised: Nov 18, 2024
§ 1701.1 - Purpose, scope, applicability.
(a) Purpose. This subpart establishes the policies and procedures the Office of the Director of National Intelligence (ODNI) will follow in implementing the requirements of the Privacy Act of 1974, 5 U.S.C. 552a,as. This subpart sets forth the procedures ODNI must follow in collecting and maintaining personal information from or about individuals, as well as procedures by which individuals may request to access or amend records about themselves and request an accounting of disclosures of those records by the ODNI. In addition, this subpart details parameters for disclosing personally identifiable information to persons other than the subject of a record.
(b) Scope. The provisions of this subpart apply to all records in systems of records maintained by ODNI directorates, centers, mission managers and other sub-organizations [hereinafter called “components”] that are retrieved by an individual's name or personal identifier.
(c) Applicability. This subpart governs the following individuals and entities:
(1) All ODNI staff and components must comply with this subpart. The terms “staff” and “component” are defined in § 1701.2.
(2) Unless specifically exempted, this subpart also applies to advisory committees and councils within the meaning of the Federal Advisory Committee Act (FACA) which provide advice to: Any official or component of ODNI; or the President, and for which ODNI has been delegated responsibility for providing service.
(d) Relation to Freedom of Information Act. The ODNI shall provide a subject individual under this subpart all records which are otherwise accessible to such individual under the provisions of the Freedom of Information Act, 5 U.S.C. 552.
§ 1701.2 - Definitions.
For purposes of this subpart, the following terms have the meanings indicated:
Access means making a record available to a subject individual.
Act means the Privacy Act of 1974.
Agency means the ODNI or any of its components.
Component means any directorate, mission manager, or other sub-organization in the ODNI or reporting to the Director, that has been designated or established in the ODNI pursuant to Section 103 of the National Security Act of 1947, as amended, including the National Counterterrorism Center (NCTC), the National Counterproliferation Center (NCPC) and the Office of the National Counterintelligence Executive (ONCIX), or such other offices and officials as may be established by law or as the Director may establish or designate in the ODNI, for example, the Program Manager, Information Sharing Environment (ISE) and the Inspector General (IG).
Disclosure means making a record about an individual available to or releasing it to another party.
FOIA means the Freedom of Information Act.
Individual, when used in connection with the Privacy Act, means a living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. It does not include sole proprietorships, partnerships, or corporations.
Information means information about an individual and includes, but is not limited to, vital statistics; race, sex, or other physical characteristics; earnings information; professional fees paid to an individual and other financial information; benefit data or claims information; the Social Security number, employer identification number, or other individual identifier; address; phone number; medical information; and information about marital, family or other personal relationships.
Maintain means to establish, collect, use, or disseminate when used in connection with the term record; and, to have control over or responsibility for a system of records, when used in connection with the term system of records.
Notification means communication to an individual whether he is a subject individual.
Office of the Director of National Intelligence means any and all of the components of the ODNI.
Record means any item, collection, or grouping of information about an individual that is maintained by the ODNI including, but not limited to, information such as an individual's education, financial transactions, medical history, and criminal or employment history that contains the individual's name, or an identifying number, symbol, or any other identifier assigned to an individual. When used in this subpart, record means only a record that is in a system of records.
Routine use means the disclosure of a record outside ODNI, without the consent of the subject individual, for a purpose which is compatible with the purpose for which the record was collected. It does not include disclosure which the Privacy Act otherwise permits pursuant to subsection (b) of the Act.
Staff means any current or former regular or special employee, detailee, assignee, employee of a contracting organization, or independent contractor of the ODNI or any of its components.
Subject individual means the person to whom a record pertains (or “record subject”).
System of records means a group of records under ODNI's control from which information about an individual is retrieved by the name of the individual or by an identifying number, symbol, or other particular assigned to the individual. Single records or groups of records which are not retrieved by a personal identifier are not part of a system of records,
§ 1701.3 - Contact for general information and requests.
Privacy Act requests and appeals and inquiries regarding this subpart or about ODNI's Privacy Act program must be submitted in writing to the Director, Information Management Office (D/IMO), Office of the Director of National Intelligence, Washington, DC 20511 (by mail or by facsimile at 703-482-2144) or to the contact designated in the specific Privacy Act System of Records Notice. Privacy Act requests with the required identification statement and signature pursuant to paragraphs (d) and (e) of § 1701.7 of this subpart must be filed in original form.
§ 1701.4 - Privacy Act responsibilities/policy.
The ODNI will administer records about individuals consistent with statutory, administrative, and program responsibilities. Subject to exemptions authorized by the Act, ODNI will collect, maintain and disclose records as required and will honor subjects' rights to view and amend records and to obtain an accounting of disclosures.
§ 1701.5 - Collection and maintenance of records.
(a) ODNI will not maintain a record unless:
(1) It is relevant and necessary to accomplish an ODNI function required by statute or Executive Order;
(2) It is acquired to the greatest extent practicable from the subject individual when ODNI may use the record to make any determination about the individual;
(3) The individual providing the record is informed of the authority for providing the record (including whether providing the record is mandatory or voluntary), the principal purpose for maintaining the record, the routine uses for the record, and what effect refusing to provide the record may have;
(4) It is maintained with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual in the determination;
(b) Except as to disclosures made to an agency or made under the FOIA, ODNI will make reasonable efforts prior to disseminating a record about an individual, to ensure that the record is accurate, relevant, timely, and complete;
(c) ODNI will not maintain or develop a system of records that is not the subject of a current or planned public notice;
(d) ODNI will not adopt a routine use of information in a system without notice and invitation to comment published in the Federal Register at least 30 days prior to final adoption of the routine use;
(e) To the extent ODNI participates with a non-Federal agency in matching activities covered by section (8) of the Act, ODNI will publish notice of the matching program in the Federal Register;
(f) ODNI will not maintain a record which describes how an individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the subject individual, or unless pertinent to and within the scope of an authorized law enforcement activity;
(g) When required by the Act, ODNI will maintain an accounting of all disclosures of records by the ODNI to persons, organizations or agencies;
(h) Each ODNI component shall implement administrative, physical and technical controls to prevent unauthorized access to its systems of records, to prevent unauthorized disclosure of records, and to prevent physical damage to or destruction of records;
(i) ODNI will establish rules and instructions for complying with the requirements of the Privacy Act, including notice of the penalties for non-compliance, applicable to all persons involved in the design, development, operation or maintenance of any system of records.
§ 1701.6 - Disclosure of records/policy.
Consistent with 5 U.S.C. 552a(b), ODNI will not disclose any record which is contained in a system of records by any means (written, oral or electronic) without the consent of the subject individual unless disclosure without consent is made for reasons permitted under applicable law, including:
(a) Internal agency use on a need-to-know basis;
(b) Release under the Freedom of Information Act (FOIA) if not subject to protection under the FOIA exemptions;
(c) A specific “routine use” as described in the ODNI's published compilation of Routine Uses Applicable to More Than One ODNI System of Records or in specific published Privacy Act Systems of Records Notices (available at http://www.dni.gov);
(d) Release to the Bureau of the Census, the National Archives and Records Administration, or the Government Accountability Office, for the performance of those entities' statutory duties;
(e) Release in non-identifiable form to a recipient who has provided written assurance that the record will be used solely for statistical research or reporting;
(f) Compelling circumstances in which the health or safety of an individual is at risk;
(g) Release pursuant to the order of a court of competent jurisdiction or to a governmental entity for a specifically documented civil or criminal law enforcement activity;
(h) Release to either House of Congress or to any committee, subcommittee or joint committee thereof to the extent of matter within its jurisdiction;
(i) Release to a consumer reporting agency in accordance with section 3711(e) of Title 31.
§ 1701.7 - Requests for notification of and access to records.
(a) How to request. Unless records are not subject to access (see paragraph (b) of this section), individuals seeking access to records about themselves may submit a request in writing to the D/IMO, as directed in Sec. 1701.3 of this subpart, or to the contact designated in the specific Privacy Act System of Records Notice. To ensure proper routing and tracking, requesters should mark the envelope “Privacy Act Request.”
(b) Records not subject to access. The following records are not subject to review by subject individuals:
(1) Records in ODNI systems of records that ODNI has exempted from access and correction under the Privacy Act, 5 U.S.C. 552a(j) or (k), by notice published in the Federal Register, or where those exemptions require that ODNI can neither confirm nor deny the existence or nonexistence of responsive records (see § 1701.10(c)(iii)).
(2) Records in ODNI systems of records that another agency has exempted from access and correction under the Privacy Act, 5 U.S.C. 552a(j) or (k), by notice published in the Federal Register, or where those exemptions require that ODNI can neither confirm nor deny the existence or nonexistence of responsive records (see § 1701.10(c)(iii)).
(c) Description of records. Individuals requesting access to records about themselves should, to the extent possible, describe the nature of the records, why and under what circumstances the requester believes ODNI maintains the records, the time period in which they may have been compiled and, ideally, the name or identifying number of each Privacy Act System of Records in which they might be included. The ODNI publishes notices in the Federal Register that describe its systems of records. The Federal Register compiles these notices biennially and makes them available in hard copy at large reference libraries and in electronic form at the Government Printing Office's World Wide Web site, http://www.gpoaccess.gov.
(d) Verification of identity. A written request for access to records about oneself must include full (legal) name, current address, date and place of birth, and citizenship status. Aliens lawfully admitted for permanent residence must provide their Alien Registration Number and the date that status was acquired. The D/IMO may request additional or clarifying information to ascertain identity. Access requests must be signed and the signature either notarized or submitted under 28 U.S.C. 1746,authorizing.
(e) Verification of guardianship or representational relationship. The parent or guardian of a minor, the guardian of an individual under judicial disability, or an attorney retained to represent an individual shall provide, in addition to establishing the identity of the minor or individual represented as required in paragraph (d) of this section, evidence of such representation by submitting a certified copy of the minor's birth certificate, court order, or representational agreement which establishes the relationship and the requester's identity.
(f) ODNI will permit access to or provide copies of records to individuals other than the record subject (or the subject's legal representative) only with the requester's written authorization.
§ 1701.8 - Requests to amend or correct records.
(a) How to request. Unless the record is not subject to amendment or correction (see paragraph (b) of this section), individuals (or guardians or representatives acting on their behalf) may make a written amendment or correction request to the D/IMO, as directed in § 1701.3 of this subpart, or to the contact designated in a specific Privacy Act System of Records. Requesters seeking amendment or correction should identify the particular record or portion subject to the request, explain why an amendment or correction is necessary, and provide the desired replacement language. Requesters may submit documentation supporting the request to amend or correct. Requests for amendment or correction will lapse (but may be re-initiated with a new request) if all necessary information is not submitted within forty-five (45) days of the date of the original request. The identity verification procedures of paragraphs (d) and (e) of § 1701.7 of this subpart apply to amendment requests.
(b). (1) Records which are determinations of fact or evidence received (e.g., transcripts of testimony given under oath or written statements made under oath; transcripts of grand jury proceedings, judicial proceedings, or quasi-judicial proceedings, which are the official record of those proceedings; pre-sentence records that originated with the courts) and
(2) Records in ODNI systems of records that ODNI or another agency has exempted from amendment and correction under Privacy Act, 5 U.S.C. 552a(j) or (k) by notice published in the Federal Register.
§ 1701.9 - Requests for an accounting of record disclosures.
(a) How to request. Except where accountings of disclosures are not required to be kept (see paragraph (b) of this section), record subjects (or their guardians or representatives) may request an accounting of disclosures that have been made to another person, organization, or agency as permitted by the Privacy Act at 5 U.S.C. 552a(b). This accounting contains the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. Requests for accounting should identify each record in question and must be made in writing to the D/IMO, as indicated in § 1701.3 of this subpart, or to the contact designated in a specific Privacy Act System of Records.
(b) Accounting not required. The ODNI is not required to provide accounting of disclosure in the following circumstances:
(1) Disclosures for which the Privacy Act does not require accounting, i.e., disclosures to employees within the agency and disclosures made under the FOIA;
(2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from the respective head of the law enforcement agency specifying the law enforcement activities for which the disclosures are sought; or
(3) Disclosures from systems of records that have been exempted from accounting requirements under the Privacy Act, 5 U.S.C. 552a(j) or (k), by notice published in the Federal Register.
§ 1701.10 - ODNI responsibility for responding to access requests.
(a) Acknowledgement of requests. Upon receipt of a request providing all necessary information, the D/IMO shall acknowledge receipt to the requester and provide an assigned request number for further reference.
(b) Tasking to component. Upon receipt of a proper access request, the D/IMO shall provide a copy of the request to the point of contact (POC) in the ODNI component with which the records sought reside. The POC within the component shall determine whether responsive records exist and, if so, recommend to the D/IMO:
(1) Whether access should be denied in whole or part (and the legal basis for denial under the Privacy Act); or
(2) Whether coordination with or referral to another component or federal agency is appropriate.
(c) Coordination and referrals—(1) Examination of records. If a component POC receiving a request for access determines that an originating agency or other agency that has a substantial interest in the record is best able to process the request (e.g., the record is governed by another agency's regulation, or another agency originally generated or classified the record), the POC shall forward to the D/IMO all records necessary for coordination with or referral to the other component or agency, as well as specific recommendations with respect to any denials.
(2) Notice of referral. Whenever the D/IMO refers all or any part of the responsibility for responding to a request to another agency, the D/IMO shall notify the requester of the referral.
(3) Effect of certain exemptions. (i) In processing a request, the ODNI shall decline to confirm or deny the existence or nonexistence of any responsive records whenever the fact of their existence or nonexistence:
(A) May reveal protected intelligence sources and collection methods (50 U.S.C. 403-1(i)); or
(B) Is classified and subject to an exemption appropriately invoked by ODNI or another agency under subsections (j) or (k) of the Privacy Act.
(ii) In such event, the ODNI will inform the requester in writing and advise the requestor of the right to file an administrative appeal of any adverse determination.
(d) Time for response. The D/IMO shall respond to a request for access promptly upon receipt of recommendations from the POC and determinations resulting from any necessary coordination with or referral to another agency. The D/IMO may determine to update a requester on the status of a request that remains outstanding longer than reasonably expected.
(e) ODNI action on requests for access—(1) Grant of access. Once the D/IMO determines to grant a request for access in whole or in part, the D/IMO shall notify the requester in writing and come to agreement with the requester about how to effect access, whether by on-site review or duplication of the records. If a requester is accompanied by another person, the requester shall be required to authorize in writing any discussion of the records in the presence of the other person.
(2) Denial of access. The D/IMO shall notify the requester in writing when an adverse determination is made denying a request for access in any respect. Adverse determinations, or denials, consist of a determination to withhold any requested record in whole or in part; a determination that a requested record does not exist or cannot be located; a determination that what has been requested is not a record subject to the Privacy Act; or a determination that the existence of a record can neither be confirmed nor denied. The notification letter shall state:
(i) The reason(s) for the denial; and
(ii) The procedure for appeal of the denial under § 1701.14 of this subpart.
§ 1701.11 - ODNI responsibility for responding to requests for amendment or correction.
(a) Acknowledgement of request. The D/IMO shall acknowledge receipt of a request for amendment or correction of records in writing and provide an assigned request number for further reference.
(b) Tasking of component. Upon receipt of a proper request to amend or correct a record, the D/IMO shall forward the request to the POC in the component maintaining the record. The POC shall promptly evaluate the proposed amendment or correction in light of any supporting justification and recommend that the D/IMO grant or deny the request or, if the request involves a record subject to correction by an originating agency, refer the request to the other agency.
(c) Action on request for amendment or correction. (1) If the POC determines that the request for amendment or correction is justified, in whole or in part, the D/IMO shall promptly:
(i) Make the amendment, in whole or in part, as requested and provide the requester a written description of the amendment or correction made; and
(ii) Provide written notice of the amendment or correction to all persons, organizations or agencies to which the record has been disclosed (if an accounting of the disclosure was made);
(2) Where the D/IMO has referred an amendment request to another agency, the D/IMO, upon confirmation from that agency that the amendment has been effected, shall provide written notice of the amendment or correction to all persons, organizations or agencies to which ODNI previously disclosed the record.
(3) If the POC determines that the requester's records are accurate, relevant, timely and complete, and that no basis exists for amending or correcting the record, either in whole or in part, the D/IMO shall inform the requester in writing of:
(i) The reason(s) for the denial; and
(ii) The procedure for appeal of the denial under Sec. 1701.15 of this subpart.
§ 1701.12 - ODNI responsibility for responding to requests for accounting.
(a) Acknowledgement of request. Upon receipt of a request for accounting, the D/IMO shall acknowledge receipt of the request in writing and provide an assigned request number for further reference.
(b) Tasking of component. Upon receipt of a request for accounting, the D/IMO shall forward the request to the POC in the component maintaining the record. The POC shall work with the component's information management officer and the systems administrator to generate the requested disclosure history.
(c) Action on request for accounting. The D/IMO will notify the requester when the accounting is available for on-site review or transmission in paper or electronic medium.
(d) Notice of court-ordered disclosures. The D/IMO shall make reasonable efforts to notify an individual whose record is disclosed pursuant to court order. Notice shall be made within a reasonable time after receipt of the order; however, when the order is not a matter of public record, the notice shall be made only after the order becomes public. Notice shall be sent to the individual's last known address and include a copy of the order and a description of the information disclosed. No notice shall be made regarding records disclosed from a criminal law enforcement system that has been exempted from the notice requirement.
(e) Notice of emergency disclosures. ODNI shall notify an individual whose record it discloses under compelling circumstances affecting health or safety. This notice shall be mailed to the individual's last known address and shall state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying the disclosure. This provision shall not apply in circumstances involving classified records that have been exempted from disclosure pursuant to subsection (j) or (k) of the Privacy Act.
§ 1701.13 - Special procedures for medical/psychiatric/psychological records.
Current and former ODNI employees, including current and former employees of ODNI contractors, and unsuccessful applicants for employment may seek access to their medical, psychiatric or psychological testing records by writing to: Information and Privacy Coordinator, Central Intelligence Agency, Washington, DC 20505, and provide identifying information as required by paragraphs (d) and (e) of § 1701.7 of this subpart. The Central Intelligence Agency's Privacy Act Regulations will govern administration of these types of records, including appeals from adverse determinations.
§ 1701.14 - Appeals.
(a) Individuals may appeal denials of requests for access, amendment, or accounting by submitting a written request for review to the Director, Information Management Office (D/IMO) at the Office of the Director of National Intelligence, Washington, DC 20511. The words “PRIVACY ACT APPEAL” should be written on the letter and the envelope. The appeal must be signed by the record subject or legal representative. No personal appearance or hearing on appeal will be allowed.
(b) The D/IMO must receive the appeal letter within 45 calendar days of the date the requester received the notice of denial. The postmark is conclusive as to timeliness. Copies of correspondence from ODNI denying the request to access or amend the record should be included with the appeal, if possible. At a minimum, the appeal letter should identify:
(1) The records involved;
(2) The date of the initial request for access to or amendment of the record;
(3) The date of ODNI's denial of that request; and
(4) A statement of the reasons supporting the request for reversal of the initial decision. The statement should focus on information not previously available or legal arguments demonstrating that the ODNI's decision is improper.
(c) Following receipt of the appeal, the Director of Intelligence Staff (DIS) shall, in consultation with the Office of General Counsel, make a final determination in writing on the appeal.
(d) Where ODNI reverses an initial denial, the following procedures apply:
(1) If ODNI reverses an initial denial of access, the procedures in paragraph (e)(1) of § 1701.10 of this subpart will apply.
(2) If ODNI reverses its initial denial of a request to amend a record, the POC will ensure that the record is corrected as requested, and the D/IMO will inform the individual of the correction, as well as all persons, organizations and agencies to which ODNI had disclosed the record.
(3) If ODNI reverses its initial denial of a request for accounting, the POC will notify the requester when the accounting is available for on-site review or transmission in paper or electronic medium.
(e) If ODNI upholds its initial denial or reverses in part (i.e., only partially granting the request), ODNI's notice of final agency action will inform the requester of the following rights:
(1) Judicial review of the denial under 5 U.S.C. 552a(g)(1), as limited by 5 U.S.C. 552a(g)(5).
(2) Opportunity to file a statement of disagreement with the denial, citing the reasons for disagreeing with ODNI's final determination not to correct or amend a record. The requester's statement of disagreement should explain why he disputes the accuracy of the record.
(3) Inclusion in one's record of copies of the statement of disagreement and the final denial, which ODNI will provide to all subsequent recipients of the disputed record, as well as to all previous recipients of the record where an accounting was made of prior disclosures of the record.
§ 1701.15 - Fees.
ODNI shall charge fees for duplication of records under the Privacy Act, 5 U.S.C. 552a,in.7(g), ODNI's regulation implementing the fee provision of the Freedom of Information Act, 5 U.S.C. 552.
§ 1701.16 - Contractors.
(a) Any approved contract for the operation of a Privacy Act system of records to accomplish a function of the ODNI will contain the Privacy Act provisions prescribed by the Federal Acquisition Regulations (FAR) at 48 CFR part 24, requiring the contractor to comply with the Privacy Act and this subpart. The contracting component will be responsible for ensuring that the contractor complies with these contract requirements. This section does not apply to systems of records maintained by a contractor as a function of management discretion, e.g., the contractor's personnel records.
(b) Where the contract contains a provision requiring the contractor to comply with the Privacy Act and this subpart, the contractor and any employee of the contractor will be considered employees of the ODNI for purposes of the criminal penalties of the Act, 5 U.S.C. 552a(i).
§ 1701.17 - Standards of conduct.
(a) General. ODNI will ensure that staff are aware of the provisions of the Privacy Act and of their responsibilities for protecting personal information that ODNI collects and maintains, consistent with Sec. 1701.5 and 1701.6 of this subpart.
(b) Criminal penalties—(1) Unauthorized disclosure. Criminal penalties may be imposed against any ODNI staff who, by virtue of employment, has possession or access to ODNI records which contain information identifiable with an individual, the disclosure of which is prohibited by the Privacy Act or by these rules, and who, knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it.
(2) Unauthorized maintenance. Criminal penalties may be imposed against any ODNI staff who willfully maintains a system of records without meeting the requirements of subsection (e)(4) of the Privacy Act, 5 U.S.C. 552a. The D/IMO, the Civil Liberties Protection Officer, the General Counsel, and the Inspector General are authorized independently to conduct such surveys and inspect such records as necessary from time to time to ensure that these requirements are met.
(3) Unauthorized requests. Criminal penalties may be imposed upon any person who knowingly and willfully requests or obtains any record concerning an individual from the ODNI under false pretenses.
source: 73 FR 16532, Mar. 28, 2008, unless otherwise noted.
cite as: 32 CFR 1701.3