(a) How made and addressed. (1) DHS has a decentralized system for responding to Privacy Act and JRA requests, with each component designating an office to process records from that component.
(2) An individual may make a request for access to a Department of Homeland Security record about that individual covered by a DHS-wide or component system of records notice (SORN) by writing directly to the Department component that maintains the record at the address listed in appendix A to this part or via the internet at https://www.dhs.gov/foia. A description of all DHS-wide and component SORNs may be found here: https://www.dhs.gov/system-records-notices-sorns.
(3) In most cases, a component's central FOIA office, as indicated in appendix A to this part, is the place to send a Privacy Act request. For records held by a field office of U.S. Customs and Border Protection, the U.S. Coast Guard, or other Department components with field offices other than the U.S. Secret Service and Transportation Security Administration, the requester must write directly to that U.S. Customs and Border Protection, Coast Guard, or other field office address, which can be found by calling the component's central FOIA office. Requests for U.S. Secret Service records should be sent only to the U.S. Secret Service central FOIA office, and requests for Transportation Security Administration records should be sent only to the Transportation Security Administration central FOIA office.
(4) Requests for records held by the Cybersecurity and Infrastructure Security Agency (CISA) should be sent to the DHS Privacy Office.
(5) DHS's FOIA website refers the reader to descriptions of the functions of each component and provides other information that is helpful in determining where to make a request. Each component's FOIA office and any additional requirements for submitting a request to a given component are listed in appendix A to this part. These references can all be used by requesters to determine where to send their requests within DHS.
(6) An individual may send a request to the Privacy Office, Mail Stop 0655, U.S. Department of Homeland Security, 2707 Martin Luther King Jr. Ave. SE, Washington, DC 20528-0655, or via the internet at https://www.dhs.gov/foia, or via fax to (202) 343-4011 for any of the Headquarters Offices of the Department of Homeland Security listed Appendix A to Subpart 5. In addition, if a requester does not know which DHS component may maintain responsive records to a request, the requester may explicitly ask for assistance from the DHS Privacy Office with identifying the proper component that most likely maintains any potential responsive records citing this section of the regulations. Upon a request for assistance and based on information provided in the FOIA request and by the requester, the Privacy Office will forward the request to the DHS component(s) that it determines to be most likely, as of the date of the request for information, to maintain the records that are sought. The Privacy Office will notify the requester that it is forwarding the request, including identifying the component(s) where the request has been sent, provide the FOIA Public Liaison contact information for the respective component(s), and provide administrative appeal rights in the response. If the requester does not agree with the Privacy Office's determination regarding which components would likely have records responsive to the request, the requester must submit a timely appeal of the Privacy Office's determination. For the quickest possible handling, the requester should mark both the request letter and the envelope “Privacy Act Request” or “Judicial Redress Act Request.”
(b) Government-wide SORNs. A government-wide system of records is a system of records where one agency has regulatory authority over records in the custody of multiple agencies, and the agency with regulatory authority publishes a SORN that applies to all of the records regardless of their custodial location. If records are sought that are covered by a Government-wide SORN and requested of DHS, DHS will consult or refer such request, only as applicable and necessary, to the corresponding agency having authority over such records for further processing. DHS will acknowledge to the requester that it is referring the request to another agency or consulting with that agency when processing the request.
(c) Description of records sought. A requester must describe the records sought in sufficient detail to enable Department personnel to locate the system of records covering them with a reasonable amount of effort. Whenever possible, the request should describe the records sought, the time periods in which the requester believes they were compiled, the office or location in which the requester believes the records are kept, and the name or identifying number of each system of records in which the requester believes they are kept. The Department publishes notices in the Federal Register that describe its components' systems of records. These notices can be found on the Department's website here: https://www.dhs.gov/system-records-notices-sorns. If a request does not adequately describe the records sought, DHS may at its discretion either administratively close the request or seek additional information from the requester. Requests for clarification or more information will be made in writing (either via U.S. mail or electronic mail whenever possible). Requesters may respond by U.S. Mail or by electronic mail regardless of the method used by DHS to transmit the request for additional information. To be considered timely, responses to requests for additional information must be postmarked or received by electronic mail within 30 working days of the postmark date or date of the electronic mail request for additional information. If the requester does not respond timely, the request may be administratively closed at DHS's discretion. This administrative closure does not prejudice the requester's ability to submit a new request for further consideration with additional information.
(d) Agreement to pay fees. DHS and components shall charge for processing requests under the Privacy Act or JRA. DHS and components will ordinarily use the most efficient and least expensive method for processing requested records. DHS may contact a requester for additional information in order to resolve any fee issues that arise under this section. DHS ordinarily will collect all applicable fees before sending copies of records to a requester. If one makes a Privacy Act or JRA request for access to records, it will be considered a firm commitment to pay all applicable fees charged under § 5.29, up to $25.00. The component responsible for responding to a request ordinarily will confirm this agreement in an acknowledgement letter. When making a request, an individual may specify a willingness to pay a greater or lesser amount. Requesters must pay fees by check or money order made payable to the Treasury of the United States.
(e) Verification of identity. When an individual makes a request for access to their own records, their identity must be verified. The individual must provide their full name, current address, date and place of birth, and country of citizenship or residency. The individual must sign the request and provide a signature that must either be notarized or submitted by the requester under 28 U.S.C. 1746,a,as. An individual may obtain more information about this process at http://www.dhs.gov/foia or 1-866-431-0486. In order to help the identification and location of requested records, an individual may also voluntarily include other identifying information that are relevant to the request (e.g., passport number, Alien Registration Number (A-Number)).
(f) Verification of guardianship. When making a request as the parent or guardian of a minor or as the guardian of someone determined by a court of competent jurisdiction to be incompetent due to physical or mental incapacity or age, for access to records about that individual, the individual submitting a request must establish:
(1) The identity of the individual who is the subject of the record, by stating the name, current address, date and place of birth, and country of citizenship or residency of the individual;
(2) The submitting individual's own identity, in the same manner as required in paragraph (e) of this section;
(3) That the submitting individual is the parent or guardian of the subject of the record, which may be proven by providing a copy of the subject of the record's birth certificate showing parentage or by providing a court order establishing guardianship; and
(4) That the submitting individual is acting on behalf of that individual that is the subject of the record.
(g) Verification in the case of third-party information requests. Outside of requests made pursuant to paragraph (f) of this section, if a third party requests records about a subject individual, the third party requester must provide verification of the subject individual's identity in the manner provided in paragraph (e) of this section along with the subject individual's written consent authorizing disclosure of the records to the third party requester, or by submitting proof by the requester that the subject individual is deceased (e.g., a copy of a death certificate or an obituary). As an exercise of its administrative discretion, each component can require a third-party requester to supply additional information to verify that the subject individual has consented to disclosure or is deceased.
[87 FR 68601, Nov. 16, 2022, as amended at 89 FR 14371, Feb. 27, 2024]