[Federal Register Volume 64, Number 75 (Tuesday, April 20, 1999)]
[Rules and Regulations]
[Pages 19293-19299]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-9857]


=======================================================================
-----------------------------------------------------------------------

CORPORATION FOR NATIONAL AND COMMUNITY SERVICE

45 CFR Parts 1224 and 2508

RIN 3045-AA22


Implementation of the Privacy Act of 1974

AGENCY: Corporation for National and Community Service.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Corporation for National and Community Service 
(hereinafter the ``Corporation'') has revised its regulations under the 
Privacy Act. The Corporation redesignated the existing regulations 
under former ACTION's CFR chapter as updated regulations under the 
Corporation's CFR chapter. The Corporation expects this rule will 
promote consistency in its processing of Privacy Act requests by 
setting forth the basic policies of the Corporation governing the 
maintenance of its system of records which contains the personal 
information of its employees.

DATES: This final rule is effective May 20, 1999.

FOR FURTHER INFORMATION CONTACT: Bill Hudson, Corporation Freedom of 
Information Act/Privacy Act Officer, at (202) 606-5000, ext. 265.

SUPPLEMENTARY INFORMATION: The Corporation published a notice of 
proposed rulemaking on March 5, 1999 (64 FR 10872) announcing its 
intention to redesignate the existing regulations under former ACTION's 
CFR chapter as updated regulations under the Corporation's CFR chapter. 
The Corporation did not receive any comments on this proposed rule. The 
Corporation is a wholly-owned government corporation created by 
Congress to administer programs established under the national service 
laws. The Corporation operates under two statutes, the National and 
Community Service Act of 1990, as amended, 42 U.S.C. 12501 et seq., and 
the Domestic Volunteer Service Act of 1973, as amended, 42 U.S.C. 4950 
et seq.
    The functions of the ACTION agency were transferred to the 
Corporation on April 4, 1994. This final rule redesignates ACTION's 
policy at 45 CFR Chapter XII, part 1224, to be revised as 45 CFR 
Chapter XXV, part 2508, and governs the Corporation as a whole. The 
Distribution Table in the Preamble compares the earlier version of CFR 
part numbers under 45 Chapter XII, part 1224, with the new CFR part 
numbers assigned under 45 Chapter XXV, part 2508. The subjects listed 
in 45 CFR Chapter XII, part 1224, are revised and redesignated under 45 
CFR Chapter XXV, part 2508, to reflect the new subject listings. The 
redesignated subpart numbers under 45 CFR Chapter XXV, part 2508, are 
written in a plain language format as questions/answers to provide for 
a better understanding of the Corporation's revised Privacy Act 
regulation.

Regulatory Flexibility Act

    I certify that this regulation will not have a significant economic 
impact on a substantial number of small entities.

Executive Order 12866

    This regulation has been drafted and reviewed in accordance with 
Executive Order 12866. The Office of Management and Budget has reviewed 
this rule and has determined that this rule is not a ``significant 
regulatory action'' under Executive Order 12866, section 3(f), 
Regulatory Planning and Review.

Paperwork Reduction Act

    I certify that this regulation does not require additional 
reporting under the criteria of the Paperwork Reduction Act of 1980.

Unfunded Mandates Reform Act of 1995

    This regulation will not result in the expenditure by State, local, 
and tribal governments, in the aggregate, or by the private sector, of 
$100,000,000 or more in any one year, and it will not significantly or 
uniquely affect small governments. Therefore, no actions are deemed 
necessary under the provisions of the Unfunded Mandates Reform Act of 
1995.

Small Business Regulatory Enforcement Fairness Act of 1996

    This rule is not a major rule as defined by Sec. 804 of the Small 
Business Regulatory Enforcement Fairness Act of 1996. This rule will 
not result in an annual effect on the economy of

[[Page 19294]]

$100,000,000 or more; a major increase in costs or prices; or 
significant adverse effects on competition, employment, investment, 
productivity, innovation, or on the ability of United States-based 
companies to compete with foreign-based companies in domestic and 
export markets.

Submission to Congress and the Office of Management and Budget

    This rule is hereby submitted pursuant to 5 U.S.C. 552a(f) for 
printing in the Federal Register. A copy has been sent to the Chairman 
of the Committee on Government Reform and Oversight of the House of 
Representatives; the Chairman of the Committee on Governmental Affairs 
of the Senate; and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget, in accordance with 
5 U.S.C. 552a(e)(4) and (a)(r).

                           Distribution Table
------------------------------------------------------------------------
                                                            New 45 CFR
                  Old 45 CFR  part 1224                      part 2508
------------------------------------------------------------------------
1224.1-1................................................          2508.2
1224.1-2................................................          2508.3
1224.1-3................................................          2508.1
1224.1-4................................................          2508.4
1224.1-5................................................          2508.5
1224.1-5a...............................................          2505.6
1224.1-6................................................          2508.7
1224.1-7................................................            None
1224.1-8................................................          2508.8
1224.1-9................................................          2508.9
1224.1-10...............................................         2508.10
1224.1-11...............................................         2508.11
1224.1-12...............................................         2508.12
1224.1-13...............................................         2508.13
1224.1-14...............................................         2508.19
1224.1-15...............................................         2508.14
1224.1-16...............................................         2508.15
1224.1-17...............................................         2508.16
1224.1-18...............................................         2508.17
1224.1-19...............................................            None
None....................................................         2508.18
None....................................................         2508.20
------------------------------------------------------------------------

List of Subjects in 45 CFR Parts 1224 and 2508

    Privacy.

    Accordingly, and under the authority of 42 U.S.C. 12501 et seq., 
and 42 U.S.C. 4950 et seq., the Corporation amends 45 CFR chapters XII 
and XXV as follows:

PART 1224--[REDESIGNATED AS PART 2508]

    1. Part 1224 in 45 CFR chapter XII is redesignated as part 2508 in 
45 CFR chapter XXV and is revised to read as follows:

PART 2508--IMPLEMENTATION OF THE PRIVACY ACT OF 1974

Sec.
2508.1  Definitions.
2508.2  What is the purpose of this part?
2508.3  What is the Corporation's Privacy Act policy?
2508.4  When can Corporation records be disclosed?
2508.5  When does the Corporation publish its notice of its system 
of records?
2508.6  When will the Corporation publish a notice for new routine 
uses of information in its system of records?
2508.7  To whom does the Corporation provide reports to regarding 
changes in its system of records?
2508.8  Who is responsible for establishing the Corporation's rules 
of conduct for Privacy Act compliance?
2508.9  What officials are responsible for the security, management 
and control of Corporation record keeping systems?
2508.10  Who has the responsibility for maintaining adequate 
technical, physical, and security safeguards to prevent unauthorized 
disclosure or destruction of manual and automatic record systems?
2508.11  How shall offices maintaining a system of records be 
accountable for those records to prevent unauthorized disclosure of 
information?
2508.12  What are the contents of the systems of records that are to 
be maintained by the Corporation?
2508.13  What are the procedures for acquiring access to Corporation 
records by an individual about whom a record is maintained?
2508.14  What are the identification requirements for individuals 
who request access to records?
2508.15  What are the procedures for requesting inspection of, 
amendment or correction to, or appeal of an individual's records 
maintained by the Corporation other than that individual's official 
personnel file?
2508.16  What are the procedures for filing an appeal for refusal to 
amend or correct records?
2508.17  When shall fees be charged and at what rate?
2508.18  What are the penalties for obtaining a record under false 
pretenses?
2508.19  What Privacy Act exemptions or control of systems of 
records are exempt from disclosure?
2508.20  What are the restrictions regarding the release of mailing 
lists?

    Authority: 5 U.S.C. 552a; 42 U.S.C. 12501 et seq.; 42 U.S.C. 
4950 et seq.


Sec. 2508.1  Definitions.

    (a) Amend means to make a correction to, or expunge any portion of, 
a record about an individual which that individual believes is not 
accurate, relevant, timely, or complete.
    (b) Appeal Officer means the individual delegated the 
responsibility to act on all appeals filed under the Privacy Act.
    (c) Chief Executive Officer means the Head of the Corporation.
    (d) Corporation means the Corporation for National and Community 
Service.
    (e) Individual means any citizen of the United States or an alien 
lawfully admitted for permanent residence.
    (f) Maintain means to collect, use, store, disseminate or any 
combination of these recordkeeping functions; exercise of control over 
and therefore, responsibility and accountability for, systems of 
records.
    (g) Personnel record means any information about an individual that 
is maintained in a system of records by the Corporation that is needed 
for personnel management or processes such as staffing, employment 
development, retirement, grievances, and appeals.
    (h) Privacy Act Officer means the individual delegated the 
authority to allow access to, the release of, or the withholding of 
records pursuant to an official Privacy Act request. The Privacy Act 
Officer is further delegated the authority to make the initial 
determination on all requests to amend records.
    (i) Record means any document or other information about an 
individual maintained by the agency whether collected or grouped, and 
including, but not limited to, information regarding education, 
financial transactions, medical history, criminal or employment 
history, or any other personal information that contains the name or 
other personal identification number, symbol, etc. assigned to such 
individual.
    (j) Routine use means, with respect to the disclosure of a record, 
the use of such record for a purpose which is compatible with the 
purpose for which it was collected.
    (k) System of records means a group of any records under the 
maintenance and control of the Corporation from which information is 
retrieved by use of the name of an individual or by some personal 
identifier of the individual.


Sec. 2508.2  What is the purpose of this part?

    The purpose of this part is to set forth the basic policies of the 
Corporation governing the maintenance of its system of records which 
contains personal information concerning its employees as defined in 
the Privacy Act (5 U.S.C. 552a). Records included in this part are 
those described in aforesaid act and maintained by the Corporation and/
or any component thereof.


Sec. 2508.3  What is the Corporation's Privacy Act policy?

    It is the policy of the Corporation to protect, preserve, and 
defend the right

[[Page 19295]]

of privacy of any individual about whom the Corporation maintains 
personal information in any system of records and to provide 
appropriate and complete access to such records including adequate 
opportunity to correct any errors in said records. Further, it is the 
policy of the Corporation to maintain its records in such a manner that 
the information contained therein is, and remains material and relevant 
to the purposes for which it is received in order to maintain its 
records with fairness to the individuals who are the subjects of such 
records.


Sec. 2508.4  When can Corporation records be disclosed?

    (a) (1) The Corporation will not disclose any record that is 
contained in its system of records by any means of communication to any 
person, or to another agency, except pursuant to a written request by, 
or with the prior written consent of the individual to whom the record 
pertains, unless disclosure of the record would be:
    (i) To employees of the Corporation who maintain the record and who 
have a need for the record in the performance of their official duties;
    (ii) When required under the provisions of the Freedom of 
Information Act (5 U.S.C. 552);
    (iii) For routine uses as appropriately published in the annual 
notice of the Federal Register;
    (iv) To the Bureau of the Census for purposes of planning or 
carrying out a census or survey or related activity pursuant to the 
provisions of title 13;
    (v) To a recipient who has provided the Corporation with advance 
adequate written assurance that the record will be used solely as a 
statistical research or reporting record, and the record is to be 
transferred in a form that is not individually identifiable;
    (vi) To the National Archives and Records Administration of the 
United States as a record which has sufficient historical or other 
value to warrant its continued preservation by the United States 
Government, or for evaluation by the Archivist of the United States or 
the designee of the Archivist to determine whether the record has such 
value;
    (vii) To another agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States for civil or criminal law enforcement activity if the activity 
is authorized by law, and if the head of the agency or instrumentality 
has made a written request to the Corporation for such records 
specifying the particular portion desired and the law enforcement 
activity for which the record is sought. Such a record may also be 
disclosed by the Corporation to the law enforcement agency on its own 
initiative in situations in which criminal conduct is suspected 
provided that such disclosure has been established as a routine use or 
in situations in which the misconduct is directly related to the 
purpose for which the record is maintained;
    (viii) To a person pursuant to a showing of compelling 
circumstances affecting the health or safety of any individual if, upon 
such disclosure, notification is transmitted to the last known address 
of such individual;
    (ix) To either House of Congress, or, to the extent of matter 
within its jurisdiction, any committee or subcommittee thereof, any 
joint committee of Congress or subcommittee of any such joint 
committee;
    (x) To the Comptroller General or any of his or her authorized 
representatives, in the course of the performance of official duties in 
the General Accounting Office;
    (xi) Pursuant to an order of a court of competent jurisdiction 
served upon the Corporation pursuant to 45 CFR 1201.3, and provided 
that if any such record is disclosed under such compulsory legal 
process and subsequently made public by the court which issued it, the 
Corporation must make a reasonable effort to notify the individual to 
whom the record pertains of such disclosure;
    (xii) To a contractor, expert, or consultant of the Corporation (or 
an office within the Corporation) when the purpose of the release to 
perform a survey, audit, or other review of the Corporation's 
procedures and operations; and
    (xiii) To a consumer reporting agency in accordance with section 
3711(f) of title 31.


Sec. 2508.5  When does the Corporation publish its notice of its system 
of records?

    The Corporation shall publish annually a notice of its system of 
records maintained by it as defined herein in the format prescribed by 
the General Services Administration in the Federal Register; provided, 
however, that such publication shall not be made for those systems of 
records maintained by other agencies while in the temporary custody of 
the Corporation.


Sec. 2508.6  When will the Corporation publish a notice for new routine 
uses of information in its system of records?

    At least 30 days prior to publication of information under the 
preceding section, the Corporation shall publish in the Federal 
Register a notice of its intention to establish any new routine use of 
any system of records maintained by it with an opportunity for public 
comments on such use. Such notice shall contain the following:
    (a) The name of the system of records for which the routine use is 
to be established.
    (b) The authority for the system.
    (c) The purpose for which the record is to be maintained.
    (d) The proposed routine use(s).
    (e) The purpose of the routine use(s).
    (f) The categories of recipients of such use. In the event of any 
request for an addition to the routine uses of the systems which the 
Corporation maintains, such request may be sent to the following 
office: Corporation for National and Community Service, Director, 
Administration and Management Services, Room 6100, 1201 New York 
Avenue, NW, Washington, DC 20525.


Sec. 2508.7  To whom does the Corporation provide reports regarding 
changes in its system of records?

    The Corporation shall provide to the Committee on Government 
Operations of the House of Representatives, the Committee on 
Governmental Affairs of the Senate, and the Office of Management and 
Budget, advance notice of any proposal to establish or alter any system 
of records as defined herein. This report will be submitted in 
accordance with guidelines provided by the Office of Management and 
Budget.


Sec. 2508.8  Who is responsible for establishing the Corporation's 
rules of conduct for Privacy Act compliance?

    (a) The Chief Executive Officer shall ensure that all persons 
involved in the design, development, operation or maintenance of any 
system of records as defined herein are informed of all requirements 
necessary to protect the privacy of individuals who are the subject of 
such records. All employees shall be informed of all implications of 
the Act in this area including the civil remedies provided under 5 
U.S.C. 552a(g)(1) and the fact that the Corporation may be subject to 
civil remedies for failure to comply with the provisions of the Privacy 
Act and this regulation.
    (b) The Chief Executive Officer shall also ensure that all 
personnel having access to records receive adequate training in the 
protection of the security of personal records, and that adequate and 
proper storage is provided for all such records with sufficient 
security to assure the privacy of such records.

[[Page 19296]]

Sec. 2508.9  What officials are responsible for the security, 
management and control of Corporation record keeping systems?

    (a) The Director of Administration and Management Services shall 
have overall control and supervision of the security of all systems of 
records and shall be responsible for monitoring the security standards 
set forth in this regulation.
    (b) A designated official (System Manager) shall be named who shall 
have management responsibility for each record system maintained by the 
Corporation and who shall be responsible for providing protection and 
accountability for such records at all times and for insuring that such 
records are secured in appropriate containers whenever not in use or in 
the direct control of authorized personnel.


Sec. 2508.10  Who has the responsibility for maintaining adequate 
technical, physical, and security safeguards to prevent unauthorized 
disclosure or destruction of manual and automatic record systems?

    The Chief Executive Officer has the responsibility of maintaining 
adequate technical, physical, and security safeguards to prevent 
unauthorized disclosure or destruction of manual and automatic record 
systems. These security safeguards shall apply to all systems in which 
identifiable personal data are processed or maintained, including all 
reports and outputs from such systems that contain identifiable 
personal information. Such safeguards must be sufficient to prevent 
negligent, accidental, or unintentional disclosure, modification or 
destruction of any personal records or data, and must furthermore 
minimize, to the extent practicable, the risk that skilled technicians 
or knowledgeable persons could improperly obtain access to modify or 
destroy such records or data and shall further insure against such 
casual entry by unskilled persons without official reasons for access 
to such records or data.
    (a) Manual systems. (1) Records contained in a system of records as 
defined herein may be used, held or stored only where facilities are 
adequate to prevent unauthorized access by persons within or outside 
the Corporation.
    (2) All records, when not under the personal control of the 
employees authorized to use the records, must be stored in a locked 
metal filing cabinet. Some systems of records are not of such 
confidential nature that their disclosure would constitute a harm to an 
individual who is the subject of such record. However, records in this 
category shall also be maintained in locked metal filing cabinets or 
maintained in a secured room with a locking door.
    (3) Access to and use of a system of records shall be permitted 
only to persons whose duties require such access within the 
Corporation, for routine uses as defined in Sec. 2508.4 as to any given 
system, or for such other uses as may be provided herein.
    (4) Other than for access within the Corporation to persons needing 
such records in the performance of their official duties or routine 
uses as defined in Sec. 2508.4, or such other uses as provided herein, 
access to records within a system of records shall be permitted only to 
the individual to whom the record pertains or upon his or her written 
request to the Director, Administration and Management Services.
    (5) Access to areas where a system of records is stored will be 
limited to those persons whose duties require work in such areas. There 
shall be an accounting of the removal of any records from such storage 
areas utilizing a written log, as directed by the Director, 
Administration and Management Services. The written log shall be 
maintained at all times.
    (6) The Corporation shall ensure that all persons whose duties 
require access to and use of records contained in a system of records 
are adequately trained to protect the security and privacy of such 
records.
    (7) The disposal and destruction of records within a system of 
records shall be in accordance with rules promulgated by the General 
Services Administration.
    (b) Automated systems. (1) Identifiable personal information may be 
processed, stored or maintained by automated data systems only where 
facilities or conditions are adequate to prevent unauthorized access to 
such systems in any form. Whenever such data, whether contained in 
punch cards, magnetic tapes or discs, are not under the personal 
control of an authorized person, such information must be stored in a 
locked or secured room, or in such other facility having greater 
safeguards than those provided for herein.
    (2) Access to and use of identifiable personal data associated with 
automated data systems shall be limited to those persons whose duties 
require such access. Proper control of personal data in any form 
associated with automated data systems shall be maintained at all 
times, including maintenance of accountability records showing 
disposition of input and output documents.
    (3) All persons whose duties require access to processing and 
maintenance of identifiable personal data and automated systems shall 
be adequately trained in the security and privacy of personal data.
    (4) The disposal and disposition of identifiable personal data and 
automated systems shall be done by shredding, burning or in the case of 
tapes or discs, degaussing, in accordance with any regulations now or 
hereafter proposed by the General Services Administration or other 
appropriate authority.


Sec. 2508.11  How shall offices maintaining a system of records be 
accountable for those records to prevent unauthorized disclosure of 
information?

    (a) Each office maintaining a system of records shall account for 
all records within such system by maintaining a written log in the form 
prescribed by the Director, Administration and Management Services, 
containing the following information:
    (1) The date, nature, and purpose of each disclosure of a record to 
any person or to another agency. Disclosures made to employees of the 
Corporation in the normal course of their duties, or pursuant to the 
provisions of the Freedom of Information Act, need not be accounted 
for.
    (2) Such accounting shall contain the name and address of the 
person or agency to whom the disclosure was made.
    (3) The accounting shall be maintained in accordance with a system 
of records approved by the Director, Administration and Management 
Services, as sufficient for the purpose but in any event sufficient to 
permit the construction of a listing of all disclosures at appropriate 
periodic intervals.
    (4) The accounting shall reference any justification or basis upon 
which any release was made including any written documentation required 
when records are released for statistical or law enforcement purposes 
under the provisions of subsection (b) of the Privacy Act of 1974 (5 
U.S.C. 552a).
    (5) For the purpose of this part, the system of accounting for 
disclosures is not a system of records under the definitions hereof, 
and need not be maintained within a system of records.
    (6) Any subject individual may request access to an accounting of 
disclosures of a record. The subject individual shall make a request 
for access to an accounting in accordance with Sec. 2508.13. An 
individual will be granted access to an accounting of the disclosures 
of a record in accordance with the procedures of this subpart which 
govern access to the related

[[Page 19297]]

record. Access to an accounting of a disclosure of a record made under 
Sec. 2508.13 may be granted at the discretion of the Director, 
Administration and Management Services.


Sec. 2508.12  What are the contents of the systems of record that are 
to be maintained by the Corporation?

    (a) The Corporation shall maintain all records that are used in 
making determinations about any individual with such accuracy, 
relevance, timeliness, and completeness as is reasonably necessary to 
assure fairness to the individual in the determination;
    (b) In situations in which the information may result in adverse 
determinations about such individual's rights, benefits and privileges 
under any Federal program, all information placed in a system of 
records shall, to the greatest extent practicable, be collected from 
the individual to whom the record pertains.
    (c) Each form or other document that an individual is expected to 
complete in order to provide information for any system of records 
shall have appended thereto, or in the body of the document:
    (1) An indication of the authority authorizing the solicitation of 
the information and whether the provision of the information is 
mandatory or voluntary.
    (2) The purpose or purposes for which the information is intended 
to be used.
    (3) Routine uses which may be made of the information and published 
pursuant to Sec. 2508.6.
    (4) The effect on the individual, if any, of not providing all or 
part of the required or requested information.
    (d) Records maintained in any system of records used by the 
Corporation to make any determination about any individual shall be 
maintained with such accuracy, relevancy, timeliness, and completeness 
as is reasonably necessary to assure fairness to the individual in the 
making of any determination about such individual, provided, however, 
that the Corporation shall not be required to update or keep current 
retired records.
    (e) Before disseminating any record about any individual to any 
person other than an employee in the Corporation, unless the 
dissemination is made pursuant to the provisions of the Freedom of 
Information Act (5 U.S.C. 552), the Corporation shall make reasonable 
efforts to ensure that such records are, or were at the time they were 
collected, accurate, complete, timely and relevant for Corporation 
purposes.
    (f) Under no circumstances shall the Corporation maintain any 
record about any individual with respect to or describing how such 
individual exercises rights guaranteed by the First Amendment of the 
Constitution of the United States, unless expressly authorized by 
statute or by the individual about whom the record is maintained, or 
unless pertinent to and within the scope of an authorized law 
enforcement activity.
    (g) In the event any record is disclosed as a result of the order 
of a court of appropriate jurisdiction, the Corporation shall make 
reasonable efforts to notify the individual whose record was so 
disclosed after the process becomes a matter of public record.


Sec. 2508.13  What are the procedures for acquiring access to 
Corporation records by an individual about whom a record is maintained?

    (a) Any request for access to records from any individual about 
whom a record is maintained will be addressed to the Corporation for 
National and Community Service, Office of the General Counsel, Attn: 
Privacy Act Officer, Room 8200, 1201 New York Avenue, NW, Washington, 
DC 20525, or delivered in person during regular business hours, 
whereupon access to his or her record, or to any information contained 
therein, if determined to be releasable, shall be provided.
    (b) If the request is made in person, such individual may, upon his 
or her request, be accompanied by a person of his or her choosing to 
review the record and shall be provided an opportunity to have a copy 
made of any record about such individual.
    (c) A record may be disclosed to a representative chosen by the 
individual as to whom a record is maintained upon the proper written 
consent of such individual.
    (d) A request made in person will be promptly complied with if the 
records sought are in the immediate custody of the Corporation. Mailed 
requests or personal requests for documents in storage or otherwise not 
immediately available, will be acknowledged within 10 working days, and 
the information requested will be promptly provided thereafter.
    (e) With regard to any request for disclosure of a record, the 
following procedures shall apply:
    (1) Medical or psychological records shall be disclosed to an 
individual unless, in the judgment of the Corporation, access to such 
records might have an adverse effect upon such individual. When such 
determination has been made, the Corporation may require that the 
information be disclosed only to a physician chosen by the requesting 
individual. Such physician shall have full authority to disclose all or 
any portion of such record to the requesting individual in the exercise 
of his or her professional judgment.
    (2) Test material and copies of certificates or other lists of 
eligibles or any other listing, the disclosure of which would violate 
the privacy of any other individual, or be otherwise exempted by the 
provisions of the Privacy Act, shall be removed from the record before 
disclosure to any individual to whom the record pertains.


Sec. 2508.14  What are the identification requirements for individuals 
who request access to records?

    The Corporation shall require reasonable identification of all 
individuals who request access to records to ensure that records are 
disclosed to the proper person.
    (a) In the event an individual requests disclosure in person, such 
individual shall be required to show an identification card such as a 
drivers license, etc., containing a photo and a sample signature of 
such individual. Such individual may also be required to sign a 
statement under oath as to his or her identity, acknowledging that he 
or she is aware of the penalties for improper disclosure under the 
provisions of the Privacy Act.
    (b) In the event that disclosure is requested by mail, the 
Corporation may request such information as may be necessary to 
reasonably ensure that the individual making such request is properly 
identified. In certain cases, the Corporation may require that a mail 
request be notarized with an indication that the notary received an 
acknowledgment of identity from the individual making such request.
    (c) In the event an individual is unable to provide suitable 
documentation or identification, the Corporation may require a signed 
notarized statement asserting the identity of the individual and 
stipulating that the individual understands that knowingly or willfully 
seeking or obtaining access to records about another person under false 
pretenses is punishable by a fine of up to $5,000.
    (d) In the event a requestor wishes to be accompanied by another 
person while reviewing his or her records, the Corporation may require 
a written statement authorizing discussion of his or her records in the 
presence of the accompanying representative or other persons.

[[Page 19298]]

Sec. 2508.15  What are the procedures for requesting inspection of, 
amendment or correction to, or appeal of an individual's records 
maintained by the Corporation other than that individual's official 
personnel file?

    (a) A request for inspection of any record shall be made to the 
Director, Administration and Management Services. Such request may be 
made by mail or in person provided, however, that requests made in 
person may be required to be made upon a form provided by the Director 
of Administration and Management Services who shall keep a current list 
of all systems of records maintained by the Corporation and published 
in accordance with the provisions of this regulation. However, the 
request need not be in writing if the individual makes his or her 
request in person. The requesting individual may request that the 
Corporation compile all records pertaining to such individual at any 
named Service Center/State Office, AmeriCorps*NCCC Campus, or at 
Corporation Headquarters in Washington, DC, for the individual's 
inspection and/or copying. In the event an individual makes such 
request for a compilation of all records pertaining to him or her in 
various locations, appropriate time for such compilation shall be 
provided as may be necessary to promptly comply with such requests.
    (b) Any such requests should contain, at a minimum, identifying 
information needed to locate any given record and a brief description 
of the item or items of information required in the event the 
individual wishes to see less than all records maintained about him or 
her.
    (1) In the event an individual, after examination of his or her 
record, desires to request an amendment or correction of such records, 
the request must be submitted in writing and addressed to the 
Corporation for National and Community Service, Office of the General 
Counsel, Attn: Privacy Act Officer, Room 8200, 1201 New York Avenue, 
NW, Washington, DC 20525. In his or her written request, the individual 
shall specify:
    (i) The system of records from which the record is retrieved;
    (ii) The particular record that he or she is seeking to amend or 
correct;
    (iii) Whether he or she is seeking an addition to or a deletion or 
substitution of the record; and,
    (iv) His or her reasons for requesting amendment or correction of 
the record.
    (2) A request for amendment or correction of a record will be 
acknowledged within 10 working days of its receipt unless the request 
can be processed and the individual informed of the Privacy Act 
Officer's decision on the request within that 10 day period.
    (3) If the Privacy Act Officer agrees that the record is not 
accurate, timely, or complete, based on a preponderance of the 
evidence, the record will be corrected or amended. The record will be 
deleted without regard to its accuracy, if the record is not relevant 
or necessary to accomplish the Corporation's function for which the 
record was provided or is maintained. In either case, the individual 
will be informed in writing of the amendment, correction, or deletion 
and, if accounting was made of prior disclosures of the record, all 
previous recipients of the record will be informed of the corrective 
action taken.
    (4) If the Privacy Act Officer does not agree that the record 
should be amended or corrected, the individual will be informed in 
writing of the refusal to amend or correct the record. He or she will 
also be informed that he or she may appeal the refusal to amend or 
correct his or her record in accordance with Sec. 2508.17.
    (5) Requests to amend or correct a record governed by the 
regulation of another government agency will be forwarded to such 
government agency for processing and the individual will be informed in 
writing of the referral.
    (c) In the event an individual disagrees with the Privacy Act 
Officer's initial determination, he or she may appeal such 
determination to the Appeal Officer in accordance with Sec. 2508.17. 
Such request for review must be made within 30 days after receipt by 
the requestor of the initial refusal to amend.


Sec. 2508.16  What are the procedures for filing an appeal for refusal 
to amend or correct records?

    (a) In the event an individual desires to appeal any refusal to 
correct or amend records, he or she may do so by addressing, in 
writing, such appeal to the Corporation for National and Community 
Service, Office of the Chief Operating Officer, Attn: Appeal Officer, 
1201 New York Avenue NW, Washington, DC 20525. Although there is no 
time limit for such appeals, the Corporation shall be under no 
obligation to maintain copies of original requests or responses thereto 
beyond 180 days from the date of the original request.
    (b) An appeal will be completed within 30 working days from its 
receipt by the Appeal Officer; except that, the appeal authority may, 
for good cause, extend this period for an additional 30 days. Should 
the appeal period be extended, the individual appealing the original 
refusal will be informed in writing of the extension and the 
circumstances of the delay. The individual's request for access to or 
to amend or correct the record, the Privacy Act Officer's refusal to 
amend or correct the record, and any other pertinent material relating 
to the appeal will be reviewed. No hearing will be held.
    (c) If the Appeal Officer determines that the record that is the 
subject of the appeal should be amended or corrected, the record will 
be amended or corrected and the individual will be informed in writing 
of the amendment or correction. Where an accounting was made of prior 
disclosures of the record, all previous recipients of the record will 
be informed of the corrective action taken.
    (d) If the appeal is denied, the subject individual will be 
informed in writing:
    (1) Of the denial and reasons for the denial;
    (2) That he or she has a right to seek judicial review of the 
denial; and
    (3) That he or she may submit to the Appeal Officer a concise 
statement of disagreement to be associated with the disputed record and 
disclosed whenever the record is disclosed.
    (e) Whenever an individual submits a statement of disagreement to 
the Appeal Officer in accordance with paragraph (d)(3) of this section, 
the record will be annotated to indicate that it is disputed. In any 
subsequent disclosure, a copy of the subject individual's statement of 
disagreement will be disclosed with the record. If the appeal authority 
deems it appropriate, a concise statement of the Appeal Officer's 
reasons for denying the individual's appeal may also be disclosed with 
the record. While the individual will have access to this statement of 
reasons, such statement will not be subject to correction or amendment. 
Where an accounting was made of prior disclosures of the record, all 
previous recipients of the record will be provided a copy of the 
individual's statement of disagreement, as well as the statement, if 
any, of the Appeal Officer's reasons for denying the individual's 
appeal.


Sec. 2508.17  When shall fees be charged and at what rate?

    (a) No fees shall be charged for search time or for any other time 
expended by the Corporation to review or produce a record except where 
an individual requests that a copy be made of the record to which he or 
she is granted access. Where a copy of the record must be made in order 
to provide access to the record (e.g., computer printout where no 
screen reading is available), the copy will be made available to the 
individual without cost.

[[Page 19299]]

    (b) The applicable fee schedule is as follows:
    (1) Each copy of each page, up to 8\1/2\'' x 14'', made by 
photocopy or similar process is $0.10 per page.
    (2) Each copy of each microform frame printed on paper is $0.25.
    (3) Each aperture card is $0.25.
    (4) Each 105-mm fiche is $0.25.
    (5) Each 100' foot role of 35-mm microfilm is $7.00.
    (6) Each 100' foot role of 16-mm microfilm is $6.00.
    (7) Each page of computer printout without regard to the number of 
carbon copies concurrently printed is $0.20.
    (8) Copying records not susceptible to photocopying (e.g., punch 
cards or magnetic tapes), at actual cost to be determined on a case-by-
case basis.
    (9) Other copying forms (e.g., typing or printing) will be charged 
at direct costs, including personnel and equipment costs.
    (c) All copying fees shall be paid by the individual before the 
copying will be undertaken. Payments shall be made by check or money 
order payable to the ``Corporation for National and Community 
Service,'' and provided to the Privacy Act Officer processing the 
request.
    (d) A copying fee shall not be charged or collected, or 
alternatively, it may be reduced, when it is determined by the Privacy 
Act Officer, based on a petition, that the petitioning individual is 
indigent and that the Corporation's resources permit a waiver of all or 
part of the fee. An individual is deemed to be indigent when he or she 
is without income or lacks the resources sufficient to pay the fees.
    (e) Special and additional services provided at the request of the 
individual, such as certification or authentication, postal insurance 
and special mailing arrangement costs, will be charged to the 
individual.
    (f) A copying fee totaling $5.00 or less shall be waived, but the 
copying fees for contemporaneous requests by the same individual shall 
be aggregated to determine the total fee.


Sec. 2508.18  What are the penalties for obtaining a record under false 
pretenses?

    The Privacy Act provides, in pertinent part that:
    (a) Any person who knowingly and willfully requests to obtain any 
record concerning an individual from the Corporation under false 
pretenses shall be guilty of a misdemeanor and fined not more than 
$5,000 (5 U.S.C. 552a(I)(3)).
    (b) A person who falsely or fraudulently attempts to obtain records 
under the Privacy Act also may be subject to prosecution under such 
other criminal statutes as 18 U.S.C. 494, 495 and 1001.


Sec. 2508.19  What Privacy Act exemptions or control of systems of 
records are exempt from disclosure?

    (a) Certain systems of records that are maintained by the 
Corporation are exempted from provisions of the Privacy Act in 
accordance with exemptions (j) and (k) of 5 U.S.C. 552a.
    (1) Exemption of Inspector General system of records. Pursuant to, 
and limited by 5 U.S.C. 552a(j)(2), the system of records maintained by 
the Office of the Inspector General that contains the Investigative 
Files shall be exempted from the provisions of 5 U.S.C. 552a, except 
subsections (b), (c) (1) and (2), (e)(4) (A) through (F), (e)(6)(7), 
(9), (10), and (11), and (I), and 45 CFR 2508.11, 2508.12, 2508.13, 
2508.14, 2508.15, 2508.16, and 2508.17, insofar as the system contains 
information pertaining to criminal law enforcement investigations.
    (2) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of 
records maintained by the Office of the Inspector General that contains 
the Investigative Files shall be exempted from 5 U.S.C. 552a (c)(3), 
(d), (e)(1), (e)(4) (G), (H), and (I), and (f), and 45 CFR 2508.11, 
2508.12, 2508.13, 2508.14, 2508.15, 2508.16, and 2508.17, insofar as 
the system contains investigatory materials compiled for law 
enforcement purposes.
    (b) Exemptions to the General Counsel system of records. Pursuant 
to, and limited by 5 U.S.C. 552a(d)(5), the system of records 
maintained by the Office of the General Counsel that contains the Legal 
Office Litigation/Correspondence Files shall be exempted from the 
provisions of 5 U.S.C. 552a(d)(5), and 45 CFR 2508.4, insofar as the 
system contains information compiled in reasonable anticipation of a 
civil action or proceeding.


Sec. 2508.20  What are the restrictions regarding the release of 
mailing lists?

    An individual's name and address may not be sold or rented by the 
Corporation unless such action is specifically authorized by law. This 
section does not require the withholding of names and addresses 
otherwise permitted to be made public.

    Dated: April 15, 1999.
Thomas L. Bryant,
Acting General Counsel.
[FR Doc. 99-9857 Filed 4-19-99; 8:45 am]
BILLING CODE 6050-28-P