[Federal Register Volume 65, Number 74 (Monday, April 17, 2000)]
[Rules and Regulations]
[Pages 20372-20380]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-9417]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

National Reconnaissance Office

32 CFR Part 326


National Reconnaissance Office Privacy Act Program

AGENCY: National Reconnaissance Office, DOD

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule establishes the National Reconnaissance Office 
Privacy Act Program. This rule establishes policies and procedures for 
implementing the NRO Privacy Program, and delegates authorities and 
assigns responsibilities for the administration of the NRO Privacy 
Program.

EFFECTIVE DATE: March 20, 2000.

ADDRESSES: National Reconnaissance Office, Information Access and 
Release Center, 14675 Lee Road, Chantilly, VA 20151-1715.

FOR FURTHER INFORMATION CONTACT: Ms. Barbara Freimann at (703) 808-
5029.

SUPPLEMENTARY INFORMATION: The proposed rule for the NRO Privacy Act 
Program was published on January 19, 2000, at 65 FR 2912. No comments 
were received, therefore, the rule is being adopted as a final rule.

Executive Order 12866, Regulatory Planning and Review

    It has been determined that 32 CFR part 326 is not a significant 
regulatory action. The rule does not:
    (1) Have an annual effect to the economy of $100 million or more; 
or adversely affect in a material way the economy; a section of the 
economy; productivity; competition; jobs; the environment; public 
health or safety; or state, local, or tribal governments or 
communities;
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another Agency;
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs or the rights and obligations of recipients 
thereof;
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
this Executive Order.

Public Law 96-354, Regulatory Flexibility Act (5 U.S.C. 601)

    It has been certified that this rule is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities.

Public Law 96-511, Paperwork Reduction Act (44 U.S.C. Chapter 35)

    It has been certified that this part does not impose any reporting 
or record keeping requirements under the Paperwork Reduction Act of 
1995.

List of Subjects in 32 CFR Part 326

    Privacy.

    Accordingly, Title 32 of the CFR is amended in Chapter I, 
subchapter O, by adding part 326 to read as follows:

PART 326--NATIONAL RECONNAISSANCE OFFICE PRIVACY ACT PROGRAM

Sec.
326.1  Purpose.
326.2  Application.
326.3  Definitions.
326.4  Policy.
326.5  Responsibilities.
326.6  Policies for processing requests for records.
326.7  Procedures for collection.
326.8  Procedures for requesting access.
326.9  Procedures for disclosure of requested records.
326.10  Procedures to appeal denial of access to requested record.
326.11  Special procedures for disclosure of medical and 
psychological records.
326.12  Procedures to request amendment or correction of record.
326.13  Procedures to appeal denial of amendment.
326.14  Disclosure of record to person other than subject.
326.15  Fees.
326.16  Penalties.
326.17  Exemptions.

    Authority: Pub. L. 93-579, 88 Stat 1896 (5 U.S.C. 552a).


Sec. 326.1  Purpose.

    This part implements the basic policies and procedures outlined in 
the Privacy Act of 1974, as amended (5 U.S.C. 552a), and 32 CFR part 
310; and establishes the National Reconnaissance Office Privacy Program 
(NRO) by setting policies and procedures for the collection and 
disclosure of information maintained in records on individuals, the 
handling of requests for amendment or correction of such records, 
appeal and review of NRO decisions on these matters, and the 
application of exemptions.


Sec. 326.2  Application.

    Obligations under this part apply to all employees detailed, 
attached, or assigned to or authorized to act as agents of the National 
Reconnaissance Office. The provisions of this part shall be made 
applicable by contract or other legally binding action to government 
contractors whenever a contract is let for the operation of a system of 
records or a portion of a system of records.

[[Page 20373]]

Sec. 326.3  Definitions.

    Access. The review or copying of a record or its parts contained in 
a system of records by a requester.
    Agency. Any executive or military department, other establishment, 
or entity included in the definition of agency in 5 U.S.C. 522(f).
    Control. Ownership or authority of the NRO pursuant to federal 
statute or privilege to regulate official or public access to records.
    Disclosure. The authorized transfer of any personal information 
from a system of records by any means of communication (such as oral, 
written, electronic, mechanical, or actual review) to any person, 
private entity, or government agency other than the subject of the 
record, the subject's designated agent, or the subject's legal 
guardian.
    He, him, and himself. Generically used in this part to refer to 
both males and females.
    Individual or requester. A living citizen of the U.S. or an alien 
lawfully admitted to the U.S. for permanent residence and to whom a 
record might pertain. The legal guardian or legally authorized agent of 
an individual has the same rights as the individual and may act on his 
behalf. No rights are vested in the representative of a dead person or 
in persons acting in an entrepreneurial (for example, sole 
proprietorship or partnership) capacity under this part.
    Interested party. Any official in the executive (including 
military), legislative, or judicial branches of government, U.S. or 
foreign, or U.S. Government contractor who, in the sole discretion of 
the NRO, has a subject matter or physical interest in the documents or 
information at issue.
    Maintain. To collect, use, store, disclose, retain, or disseminate 
when used in connection with records.
    Originator. The NRO employee or contractor who created the document 
at issue or his successor in office or any official who has been 
delegated release or declassification authority pursuant to law.
    Personal information. Information about any individual that is 
intimate or private to the individual, as distinguished from `corporate 
information' which is in the public domain and related solely to the 
individual's official functions or public life (i.e., employee's name, 
job title, work phone, grade/rank, job location).
    Privacy Act Coordinator. The NRO Information and Access Release 
Center Chief who serves as the NRO manager of the information review 
and release program instituted under the Privacy Act.
    Record. Any item, collection, or grouping of information about an 
individual that is maintained by the NRO, including, but not limited 
to, the individual's education, financial transactions, medical 
history, and criminal or employment history, and that contains the 
individual's name or identifying number (such as Social Security or 
employee number), symbol, or other identifying particular assigned to 
the individual, such as fingerprint, voice print, or photograph. 
Records include data about individuals which is stored in computers.
    Responsive record. Documents or records that the NRO has determined 
to be within the scope of a Privacy Act request.
    Routine use. The disclosure of a record outside the Department of 
Defense (DoD) for a use that is compatible with the purpose for which 
the information was collected and maintained by NRO. Routine use 
encompasses not only common or ordinary use, but also all the proper 
and necessary uses of the record even if such uses occur infrequently. 
All routine uses must be published in the Federal Register.
    System managers. Officials who have overall responsibility for a 
Privacy Act system of records.
    System notice. The official public notice published in the Federal 
Register of the existence and general content of the system of records.
    System of records. A group of any records under the control of the 
NRO from which information is retrieved by the name of an individual or 
by some identifying number, symbol, or other identifying particular 
assigned to that individual.
    Working days. Days when the NRO is operating and specifically 
excludes Saturdays, Sundays, and legal public holidays.


Sec. 326.4  Policy.

    (a) Records about individuals--
    (1) Collection. The NRO will safeguard the privacy of individuals 
identified in its records. Information about an individual will, to the 
greatest extent practicable, be collected directly from the individual, 
and personal information will be protected from unintentional or 
unauthorized disclosure by treating it as marked `For Official Use 
Only.' Access to personal information will be restricted to those 
employees whose official duties require it during the regular course of 
business.
    (i) Privacy Act Statement. When an individual is requested to 
furnish personal information about himself for inclusion in a system of 
records, a Privacy Act Statement is required to enable him to make an 
informed decision whether to provide the information requested. A 
Privacy Act Statement may appear, in order of preference, at the top or 
bottom of a form, on the reverse side of a form, or attached to the 
form as a tear-off sheet.
    (ii) Social Security Numbers (SSNs). It is unlawful for any 
governmental agency to deny an individual any right, benefit, or 
privilege provided by law because the individual refuses to provide his 
SSN. However, if a federal statute requires that the SSN be furnished 
or if the SSN is required to verify the identity of an individual in a 
system of records that was established and in use before January 1, 
1975, this restriction does not apply. When collecting the SSN, a 
`qualified' Privacy Act Statement must be provided even if the SSN will 
not be maintained in a system of records. The 'qualified' Privacy Act 
Statement shall inform the individual whether the disclosure is 
mandatory or voluntary, by what statutory or other authority such 
number is solicited, and what uses will be made of it.
    (2) Maintenance. The NRO will maintain in its records only such 
information about an individual which is accurate, relevant, timely, 
and necessary to accomplish a purpose which is required by statute or 
Executive Order. All records used by the NRO to make determinations 
about individuals will be maintained with such accuracy and 
completeness as is reasonably necessary to assure fairness to the 
individual.
    (3) Existence. The applicability of the Privacy Act depends on the 
existence of an identifiable record. The procedures described in NRO 
regulations do not require that a record be created or that an 
individual be given access to records that are not retrieved by name or 
other individual identifier. Nor do these procedures entitle an 
individual to have access to any information compiled in reasonable 
anticipation of a civil action or proceeding. NRO will maintain only 
those systems of records that have been described through notices 
published in the Federal Register. A system of records from which 
records may be retrieved by a name or some other personal identifier 
must be under NRO control for consideration under this part.
    (4) Disposal. The NRO will archive, dispose of, or destroy records 
containing personal data in a manner to prevent specific records from 
being readily

[[Page 20374]]

identified or inadvertently compromised.
    (b) Evaluation of records. Statutory authority to establish and 
maintain a system of records does not grant unlimited authority to 
collect and maintain all information which may be useful or convenient. 
Directorates and offices maintaining records will evaluate each 
category of information in records systems for necessity and relevance 
prior to republication of all system notices in the Federal Register 
and during the design phase or change of a system of records. The 
following will be considered in the evaluation:
    (1) Relationship of each item of information to the statutory 
purpose for which the system is maintained;
    (2) Specific adverse consequences of not collecting each category 
of information; and
    (3) Techniques for purging parts of the records.
    (c) Disclosure of records. The NRO will provide the fullest access 
practicable by individuals to NRO records concerning them. Release of 
personal information to such individuals is not considered public 
release of information. Upon receipt of a written request, the NRO will 
release to individuals those records that are releasable and applicable 
to the individual making the request. Generally, information, other 
than that exempted by law and this part, will be provided to the 
individual. NRO personnel will comply with the Privacy Act of 1974, as 
amended, the DoD Privacy Act Program (32 CFR part 310), and the NRO 
Privacy Act Program. No NRO records shall be disclosed by any means of 
communication to any person or to any agency except pursuant to a 
written request by or the prior written consent of the individual to 
whom it pertains, unless disclosure of the record will be:
    (1) To those employees of the NRO who have an official need for the 
record in the performance of their duties.
    (2) Required to be disclosed to a member of the public under the 
Freedom of Information Act, as amended.
    (3) For a routine use as defined in the Privacy Act.
    (4) To the Census Bureau for the purpose of conducting a census or 
survey or related activity authorized by law.
    (5) To a recipient who has provided the NRO with advance, adequate 
written assurance that the record will be used solely as statistical 
research and that the record is to be transferred in a form in which 
the individual is not identifiable.
    (6) To the National Archives of the United States as a record which 
has sufficient historical or other value to warrant its continued 
preservation by the U. S. Government.
    (7) To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the U.S. for a civil or 
criminal law enforcement activity if such activity is authorized by law 
and if the head of the agency or governmental entity has made a written 
request to the NRO specifying the particular portion of the record and 
the law enforcement activity for which the record is sought (blanket 
requests will not be accepted); a record may also be disclosed to a law 
enforcement agency at the initiative of the NRO pursuant to the blanket 
routine use for law enforcement when criminal conduct is indicated in 
the record.
    (8) To a person showing compelling circumstances affecting the 
health or safety of an individual if, upon such disclosure, 
notification is sent to the last known address of the individual to 
whom the record pertains (emergency medical information may be released 
by telephone).
    (9) To Congress or any committee, joint committee, or subcommittee 
of Congress with respect to a matter under its jurisdiction. This 
provision does not authorize the disclosure of a record to members of 
Congress acting in their individual capacities or on behalf of their 
constituents making third party requests. However, such releases may be 
made pursuant to the blanket routine use for Congressional inquiries 
when a constituent has sought the assistance of his Congressman for the 
constituent's individual record(s).
    (10) To the Comptroller General or any of his authorized 
representatives in the course of the performance of the duties of the 
General Accounting Office.
    (11) Pursuant to an order of a court of competent jurisdiction. 
When the record is disclosed under compulsory legal process and when 
the issuance of that order or subpoena is made public by the court 
which issued it, the NRO will make reasonable efforts to notify the 
individual to whom the record pertains by mail at the most recent 
address contained in NRO records.
    (12) To a consumer reporting agency in accordance with 31 U.S.C. 
3711(f).
    (d) Allocation of resources. NRO components shall exercise due 
diligence in their responsibilities under the Privacy Act and must 
devote a reasonable level of personnel to respond to requests on a 
`first-in, first-out' basis. In allocating Privacy Act resources, the 
component shall consider its imposed business demands, the totality of 
resources available to it, the information review and release demands 
imposed by Congress and other governmental authorities, and the rights 
of the public under various disclosure laws. The PA Coordinator will 
establish priorities for cases consistent with established law to 
ensure that smaller as well as larger `project' cases receive equitable 
attention.
    (e) Written permission for disclosure. Disclosures made under 
circumstances not delineated in this part shall be made only if the 
written permission of the individual involved has been obtained. 
Written permission shall be recorded on or appended to the document 
transmitting the personal information to the other agency, in which 
case no separate accounting of the disclosure need be made. Written 
permission is required in each case; that is, once obtained, written 
permission for one case does not constitute blanket permission for 
other disclosures.
    (f) Coordination with other government agencies. Records systems of 
the NRO may contain records originated by other agencies that may have 
claimed exemptions for them under the Privacy Act. Where appropriate, 
coordination will be effected with the originating agency. The NRO will 
comply with the instructions issued by another agency responsible for a 
system of records (e.g., Office of Personnel Management) in granting 
access to such records. Records containing information or interests of 
another government agency will not be released until coordination with 
the other agency involved. A request for information pertaining to the 
individual in an NRO record system received from another federal agency 
will be coordinated with the originating agency.
    (g) Accounting for disclosure. Except for disclosures made under 
paragraphs (c)(1) and (c)(2) of this section, an accurate account of 
the disclosures shall be kept by the record holder in consultation with 
the Privacy Act Coordinator (PA Coordinator). There need not be a 
notation on a single document of every disclosure of a particular 
record. The record holder should be able to construct from its system 
of records the accounting information:
    (1) When required by the individual to whom the record pertains, or
    (2) When necessary to inform previous recipients of any amended 
records. The accounting shall be retained for at least five years or 
for the life of the record, whichever is longer, to be available for 
review by the subject of the record at his request except for

[[Page 20375]]

disclosures made under paragraph (c)(7) of this section.
    (h) Application of rules. Any request for access, amendment, 
correction, etc., of personal record information in a system of records 
by an individual to whom such information pertains will be governed by 
the Privacy Act of 1974, as amended, DoD regulatory authority, and this 
part, exclusively. Any denial or exemption of all or part of a record 
from access, disclosure, amendment, correction, etc., will be processed 
under DoD regulatory authority and this part, unless court order or 
other competent authority directs otherwise.
    (i) First Amendment rights. No NRO official or component may 
maintain any information pertaining to the exercise by an individual of 
his rights under the First Amendment without the permission of that 
individual unless such collection is specifically authorized by statute 
or pertains to an authorized law enforcement activity.
    (j) Non-system information on individuals. The following 
information is not considered part of personal records systems 
reportable under this part and may be maintained by NRO for ready 
identification, contact, and property control purposes only, provided 
it is not maintained in a system of records. If at any time the 
information described in this paragraph is being maintained in a system 
of records, the information is subject to the Privacy Act.
    (1) Identification information at doorways, building directories, 
desks, lockers, name tags, etc.
    (2) Geographical or agency contact cards.
    (3) Property receipts and control logs for building passes, 
credentials, vehicles, etc.
    (4) Personal working notes of employees that are merely an 
extension of the author's memory, if maintained properly, do not come 
under the Privacy Act. Personal notes are not considered official NRO 
records if they meet the following requirements:
    (i) Keeping or discarding notes must be at the sole discretion of 
the author. Any requirement by supervising authority, whether by oral 
or written directive, regulation, policy, or memo to maintain such 
notes, likely would cause the notes to become official agency records.
    (ii) Such notes must be restricted to the author's personal use as 
memory aids, and only the author may have access to them. Passing them 
to a successor or showing them to other personnel (including supporting 
staff such as secretaries) would likely cause them to become agency 
records.
    (5) Rosters. The NRO has no restriction against rosters that 
contain only corporate information such as name, work telephone number, 
and position. Good recordkeeping practices dictate that only rosters 
that are relevant and necessary to the NRO's operations may be 
maintained, and therefore convenience rosters, which by definition do 
not satisfy the test, may not be maintained.


Sec. 326.5  Responsibilities.

    (a) The Director, NRO (DNRO):
    (1) Supervises the execution of the Privacy Act and this part 
within the NRO.
    (2) Appoints:
    (i) The Chief, Information Access and Release Center as the NRO 
Privacy Act Coordinator.
    (ii) The Director of Security, the Director of Policy, and the NRO 
General Counsel as the NRO Appeals Panel; and
    (iii) The Chief of Staff as the Senior Official for Privacy Policy 
and the Privacy Act Appeal Authority.
    (b) The Privacy Act Coordinator, NRO:
    (1) Establishes, issues, and updates policy for the NRO Privacy Act 
Program, monitors compliance, and serves as the principal NRO point of 
contact on all Privacy Act matters.
    (2) Receives, processes, and responds to all Privacy Act requests 
received by the NRO, including:
    (i) Granting, granting in part, or denying an initial Privacy Act 
request for access or amendment to a record, and notifying a requester 
of such actions taken in regard to that request.
    (ii) Granting a requester access to all or part of a record under 
dispute when, after a review, a decision is made in favor of a 
requester.
    (iii) Directing the appropriate NRO component to amend a record and 
advising other record holders to amend a record when a decision is made 
in favor of a requester.
    (iv) Notifying a requester, if a request is denied, of the reasons 
for denial and the procedures for appeal to the Privacy Act Appeal 
Authority.
    (v) Notifying a requester of his right to file a concise statement 
of his reasons for disagreement with the NRO's refusal to amend a 
record.
    (vi) Directing that a requester's statement of reasons for the 
request to amend, his concise statement of disagreement with the NRO's 
refusal to amend a record, and the NRO's letter of denial be included 
in the file containing the disputed record.
    (vii) Referring all appeals to the Privacy Act Appeals Panel and 
Appeal Authority.
    (viii) Notifying a requester of any required fees and delivering 
such collected fees to the Comptroller.
    (ix) Obtaining supplemental information from the requester when 
required.
    (3) Serves as the NRO point of contact with the Defense Privacy 
Office.
    (4) Reviews NRO use of records, and at least 40 calendar days prior 
to establishing a new agency system of records, ensures that new or 
amended notices are prepared and published in the Federal Register 
consistent with the requirements of 32 CFR part 310;
    (5) Coordinates with forms managers to ensure that a Privacy Act 
Statement is on all forms or in all other methods used to collect 
personal information for inclusion in any NRO records system;
    (6) Prepares the NRO Privacy Act report for submission to the DoD 
Privacy Office and to other authorities, as required by 32 CFR part 
310.
    (7) Reviews all procedures, including forms, which require an 
individual to furnish information for conformity with the Privacy Act.
    (8) Retains the accounting of disclosures for at least five years 
or for the life of the record, whichever is longer, to be available for 
review by the subject of the record at his request except for 
disclosures made under paragraph (c)(7) of Sec. 326.4; and
    (9) Develops and oversees Privacy Act Program training for NRO 
personnel.
    (c) The Privacy Act Appeals Panel, NRO:
    (1) Meets and reviews all denials appealed by means of the NRO 
internal appeals process; and
    (2) Recommends a finding to the Privacy Act Appeal Authority by a 
majority vote of those present at the meeting and based on the written 
record and the panel's deliberations.
    (d) The Privacy Act Appeal Authority, NRO:
    (1) Determines all NRO Privacy Act appeals.
    (2) Reports the determination to the PA Coordinator.
    (3) Signs the final appeal letter to the requester.
    (e) General Counsel, NRO:
    (1) Ensures uniformity in NRO legal positions concerning the 
Privacy Act and reviews proposed responses to Privacy Act requests to 
ensure legal sufficiency, as appropriate.
    (2) Consults with DoD General Counsel on final denials that may be 
inconsistent with other final decisions within DoD; raises new legal 
issues of potential significance to other government agencies.
    (3) Provides advice and assistance to the DNRO, the PA Coordinator, 
and

[[Page 20376]]

component Directors, as required, in the discharge of their 
responsibilities pertaining to the Privacy Act.
    (4) Advises on all legal matters concerning the Privacy Act, 
including legal decisions, rulings by the Department of Justice, and 
actions by DoD and other commissions on the Privacy Act.
    (5) Approves all Privacy Act Statements prior to their reproduction 
and distribution.
    (6) Acts as the NRO focal point for Privacy Act litigation with the 
Department of Justice.
    (7) Provides a status report to the Defense Privacy Office, 
consistent with the requirements of 32 CFR part 310, whenever an 
individual brings suit under subsection (g) of the Privacy Act against 
NRO.
    (f) Chief Information Officer (CIO), NRO:
    (1) Ensures that NRO systems of records databases have procedures 
to protect the confidentiality of personal records maintained or 
processed by means of automatic data processing (ADP) systems and 
ensures that ADP systems contain appropriate safeguards for the privacy 
of personnel.
    (2) Coordinates with the PA Coordinator before developing or 
modifying CIO-sponsored ADP supported files subject to the provisions 
of this part.
    (g) Directorate and Office Managers, NRO:
    (1) Ensure that records contained in their directorate or office 
systems of records are disclosed only to those NRO officials or 
employees who require the records for official purposes.
    (2) Review their own directorate and office systems of records to 
ensure and certify that no systems of records other than those listed 
in the Federal Register System Notices are maintained; notify the CIO 
and the PA Coordinator promptly whenever there are changes to 
processing equipment, hardware, software, or database that may require 
an amended system notice.
    (3) Maintain only such information about an individual as is 
relevant and necessary to accomplish a purpose which is required by 
statute or Executive Order and identify the specific provision of law 
or Executive Order which provides authority for the maintenance of 
information in each system of records.
    (h) System Managers, NRO:
    (1) Ensure that adequate safeguards have been established and are 
enforced to prevent the misuse, unauthorized disclosure, alteration, or 
destruction of personal information contained in system records.
    (2) Ensure that all personnel who have access to the system of 
records, or are engaged in developing or supervising procedures for 
handling records, are aware of their responsibilities established by 
the NRO Privacy Act Program.
    (3) Evaluate each system of records during the planning stage and 
at regular intervals. The following factors should be considered:
    (i) Relationship of data to be collected and retained to the 
purposes for which the system is maintained (all information must be 
relevant and necessary to the purpose for which it is collected).
    (ii) The specific impact on the purpose or mission if categories of 
information are not collected (all data fields must be necessary to 
accomplish a lawful purpose or mission).
    (iii) Whether informational needs can be met without using personal 
identifiers.
    (iv) The cost of maintaining and disposing of records within the 
systems of records and the length of time each item of information must 
be retained according to the NRO Records Control Schedule as approved 
by the National Archives and Records Administration.
    (4) Review system alterations or amendments to evaluate for 
relevancy and necessity.
    (i) Forms and Information Managers. All NRO individuals responsible 
for forms or methods used to collect personal information from 
individuals will:
    (1) Ensure that Privacy Act Statements are on appropriate forms and 
that new forms have the required Privacy Act Statement.
    (2) Determine, with General Counsel's concurrence, which forms 
require Privacy Act Statements and will prepare such statements.
    (3) Assist the initiators in determining whether a form, format, 
questionnaire, or report requires a Privacy Act Statement. Privacy Act 
Statements must be complete, specific, written in plain English, and 
approved by the Office of General Counsel.
    (j) Employees, NRO:
    (1) Will be familiar with the provisions of this part regarding the 
maintenance of systems of records, authorized access, and authorized 
disclosure;
    (2) Will collect, maintain, use, and/or disseminate records 
containing identifiable personal information only for lawful purposes; 
will keep the information current, complete, relevant, and accurate for 
its intended use; and will safeguard the records in a system and keep 
them the minimum time required;
    (3) Will not disclose any personal information contained in any 
system of records, except as authorized by the Privacy Act and this 
part;
    (4) Will maintain no system of records concerning individuals 
except those authorized, and will maintain no other information 
concerning individuals except as necessary for the conduct of business 
at the NRO;
    (5) Will provide individuals a Privacy Act Statement when asking 
them to provide information about themselves. The Privacy Act Statement 
will include the authority under which the information is being 
requested, whether disclosure of the information is mandatory or 
voluntary, the purposes for which it is being requested, the uses to 
which it will be put, and the consequences of not providing the 
information;
    (6) May not deny an individual any right or privilege provided by 
law because of that individual's failure to disclose his SSN unless 
such information is required by federal statute or disclosure was 
required by statute or regulations adopted prior to January 1, 1975. If 
disclosure of the SSN is not required, NRO directorates and offices are 
not precluded from requesting it from individuals; however, the Privacy 
Act Statement must make clear that the disclosure of the SSN is 
voluntary and, if the individual refuses to disclose it, must be 
prepared to identify him by alternate means.
    (7) Will collect personal information directly from the subject 
whenever possible; employees may collect information from third parties 
when that information must be verified, opinions or evaluations are 
required, the subject cannot be contacted, or the subject requests it.
    (8) Will keep paper and electronic records which contain personal 
information and are retrieved by name or personal identifier only in 
approved systems published in the Federal Register.
    (9) Will amend and correct records when directed by the PA 
Coordinator.
    (10) Will report to the PA Coordinator any disclosures of personal 
information from a system of records, or the maintenance of any system 
of records, not authorized by this part.


Sec. 326.6  Policies for processing requests for records.

    (a) An individual's written request for access to records about 
himself which does not specify the Act under which the request is made 
will be processed under both the Freedom of Information

[[Page 20377]]

Act (FOIA) and the Privacy Act and the applicable regulations. Such 
requests will be processed under both Acts regardless of whether the 
requester cites one Act, both, or neither in the request in order to 
ensure the maximum possible disclosure to the requester. Individuals 
may not be denied access to a record pertaining to themselves merely 
because those records are exempt from disclosure under the FOIA.
    (b) A Privacy Act request that neither specifies the system(s) of 
records to be searched nor identifies the substantive nature of the 
information sought will be processed by searching the systems of 
records categorized as Environmental Health, Safety and Fitness, FOIA/
Privacy, General, and Security.
    (c) A Privacy Act request that does not designate the system(s) of 
records to be searched but does identify the substantive nature of the 
information sought will be processed by searching those systems of 
records likely to have information similar to that sought by the 
requester.
    (d) The NRO will not disclose any record to any person or 
government agency except by written request or prior written consent of 
the subject of the record unless the disclosure is required by law or 
is within the exceptions of the Privacy Act. If a requester authorizes 
another individual to obtain the requested records on his behalf, the 
requester shall provide a written, signed, notarized statement 
appointing that individual as his representative and certifying that 
the individual appointed may have access to the requester's records and 
that such access shall not constitute an invasion of his privacy nor a 
violation of his rights under the Privacy Act. In lieu of a notarized 
statement, the NRO will accept a declaration in accordance with 28 
U.S.C. 1746.
    (e) Upon receipt of a written request, the Privacy Act Coordinator 
(PA Coordinator) will release to the requester those records which are 
releasable and applicable to the individual making the request. Records 
about individuals include data stored electronically or in electronic 
media. Documentary material qualifies as a record if the record is 
maintained in a system of records.
    (f) Initial availability, potential for release, and cost 
determination will usually be made within ten working days of the date 
on which a written request for any identifiable record is received by 
the NRO (and acknowledgement is sent to the individual). If additional 
time is needed due to unusual circumstances, a written notification of 
the delay will be forwarded to the requester within the ten working day 
period. This notification will briefly explain the circumstances for 
the delay and indicate the anticipated date for a substantive response.
    (g) All requests will be handled in the order received on a `first-
in, first-out' basis. Requests will be considered for expedited 
processing only if the NRO determines that there is a genuine health, 
humanitarian, or due process reason involving possible deprivation of 
life or liberty which creates an exceptional and urgent need, that 
there is no alternative forum for the records sought, and that 
substantive records relevant to the stated needs may exist and be 
releasable.
    (h) Records provided or originated by another agency or containing 
other agency information will not be released prior to coordination 
with the other agency involved.
    (i) Requesting or obtaining access to records under false pretenses 
is a violation of the Privacy Act and is subject to criminal penalties.


Sec. 326.7  Procedures for collection.

    (a) To the maximum extent practical, personal information about an 
individual will be obtained directly from that individual.
    (b) Whenever an individual is asked to provide personal 
information, including Social Security Number (SSN) or a personal 
identifier, about himself, a Privacy Act Statement will be furnished 
that will advise him of the authority (whether by statute or by 
Executive Order) under which the information is requested, whether 
disclosure of the information is voluntary or mandatory, the purposes 
for which it is requested, the uses to which it will be put, and the 
consequences of not providing the information.
    (c) When asking third parties to provide information about other 
individuals, NRO employees will advise them:
    (1) Of the purpose of the request, and
    (2) That their identities and the information they are furnishing 
may be released to the individual unless they expressly request 
confidentiality. All persons interviewed must be informed of their 
rights and offered confidentiality.


Sec. 326.8  Procedures for requesting access.

    (a) Request in writing. An individual seeking notification of 
whether a system of records contains a record pertaining to him, or an 
individual seeking access to records pertaining to him which are 
available under the Privacy Act, shall address the request in writing 
to the Privacy Act Coordinator, National Reconnaissance Office, 14675 
Lee Road, Chantilly, VA 20151-1715. The request should contain at least 
the following information:
    (1) Identification. Reasonable identification, including first 
name, middle name or initial, surname, any aliases or nicknames, Social 
Security Number, and return address of the individual concerned, 
accompanied by a signed notarized statement that such information is 
true under penalty of perjury and swearing to or affirming his 
identity. An unsworn declaration, under 28 U.S.C. 1746, also is 
acceptable. In the case of a request for records of a sensitive nature 
if the PA Coordinator determines that this information does not 
sufficiently identify the individual, the PA Coordinator may requests 
additional identification or clarification of information submitted by 
the individual.
    (i) In addition, an alien lawfully admitted for permanent residence 
shall provide his Alien Registration Number and the date that status 
was acquired.
    (ii) The parent or guardian of a minor or of a person judicially 
determined to be incompetent, or an attorney retained to represent an 
individual, in addition to establishing the identity of the minor or 
person represented as required in this part, shall provide evidence of 
his own identity as required in this part and evidence of such 
parentage, guardianship, or representation by submitting a certified 
copy of the minor's birth certificate, the court order establishing 
such guardianship, or the representation agreement which establishes 
the relationship.
    (2) Cost. A statement of willingness to pay reproduction costs. 
Processing of requests and administrative appeals from individuals who 
owe outstanding fees will be held in abeyance until such fees are paid.
    (3) Record sought. A description, to the best of his ability, of 
the nature of the record sought and the system in which it is thought 
to be included. In lieu of this, a requester may simply describe why 
and under what circumstances he believes that the NRO maintains 
responsive records; the NRO will undertake the appropriate searches.
    (b) Access on behalf of the individual. If the requester wishes 
another person to obtain the records on his behalf, the requester will 
furnish a notarized statement or unsworn declaration appointing that 
person as his representative, authorizing him access to the record, and 
affirming that access will not constitute an invasion of the 
requester's privacy or a violation of his

[[Page 20378]]

rights under the Privacy Act. The NRO requires a written statement to 
authorize discussion of the individual's record in the presence of a 
third person.


Sec. 326.9  Procedures for disclosure of requested information.

    (a) The PA Coordinator shall acknowledge receipt of the request in 
writing within ten working days.
    (b) Upon receipt of a request, the PA Coordinator shall refer the 
request to those components most likely to possess responsive records. 
The components shall search all relevant record systems within their 
cognizance and shall:
    (1) Determine whether a responsive record exists in a system of 
records.
    (2) Determine whether access must be denied and on what legal 
basis. An individual may be denied access to his records under the 
Privacy Act only if an exemption has been properly claimed for all or 
part of the records or information requested; or if the information was 
compiled in reasonable anticipation of a civil action or proceeding.
    (3) Approve the disclosure of records for which they are the 
originator.
    (4) Forward to the PA Coordinator all records approved for release 
or necessary for coordination with or referral to another originator or 
interested party as well as notification of the specific determination 
for any denial.
    (c) When all records have been collected, the PA Coordinator shall 
notify the individual of the determination and shall provide an exact 
copy of records deemed to be accessible if a copy has been requested.
    (d) When an original record is illegible, incomplete, or partially 
exempt from release, the PA Coordinator shall explain in terms 
understood by the requester the portions of a record that are unclear.
    (e) If access to requested records, or any portion thereof, is 
denied, the PA Coordinator shall inform the requester in writing of the 
specific reason(s) for denial, including the specific citation to 
appropriate sections of the Privacy Act or other statutes, this and 
other NRO regulations, or the Code of Federal Regulations authorizing 
denial, and the right to appeal this determination through the NRO 
appeal procedure within 60 calendar days. The denial shall include the 
date of denial, the name and title/position of the denial authority, 
and the address of the NRO Appeal Authority. Access may be refused when 
the records are exempt by the Privacy Act. Usually an individual will 
not be denied access to the entire record, but only to those portions 
to which the denial of access furthers the purpose for which an 
exemption was claimed.


Sec. 326.10  Procedures to appeal denial of access to requested record.

    (a) Any individual whose request for access is denied may request a 
review of the initial decision within 60 calendar days of the date of 
the notification of denial of access by appealing within the NRO 
internal appeals process. If a requester elects to request NRO review, 
the request shall be sent in writing to the Privacy Act Coordinator, 
National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-
1715, briefly identifying the particular record which is the subject of 
the request and setting forth the reasons for the appeal. The request 
should enclose a copy of the denial correspondence. The following 
procedures apply to appeals within the NRO:
    (1) The PA Coordinator, after acknowledging receipt of the appeal, 
shall promptly refer the appeal to the record-holding components, 
informing them of the date of receipt of the appeal and requesting that 
the component head or his designee review the appeal.
    (2) The record-holding components shall review the initial denial 
of access to the requested records and shall inform the PA Coordinator 
of their review determination.
    (3) The PA Coordinator shall consolidate the component responses, 
review the record, direct such additional inquiry or investigation as 
is deemed necessary to make a fair and equitable determination, and 
make a recommendation to the NRO Appeals Panel, which makes a 
recommendation to the Appeal Authority.
    (4) The Appeal Authority shall notify the PA Coordinator of the 
result of the determination on the appeal, who shall notify the 
individual of the determination in writing.
    (5) If the determination reverses the initial denial, the PA 
Coordinator shall provide a copy of the records requested. If the 
determination upholds the initial denial, the PA Coordinator shall 
inform the requester of his right to judicial review in U.S. District 
Court and shall include the exact reasons for denial with specific 
citations to the provisions of the Privacy Act, other statutes, NRO 
regulations, or the Code of Federal Regulations upon which the 
determination is based.
    (b) The Appeal Authority shall act on the appeal or provide a 
notice of extension within 30 working days.


Sec. 326.11  Special procedures for disclosure of medical and 
psychological records.

    When requested medical and psychological records are not exempt 
from disclosure, the PA Coordinator may determine which non-exempt 
medical or psychological records should not be sent directly to the 
requester because of possible harm or adverse impact to the requester 
or another person. In that event, the information may be disclosed to a 
physician named by the requester. The appointment of the physician will 
be in the same notarized form or declaration as described in Sec. 326.8 
and will certify that the physician is licensed to practice in the 
appropriate specialty (medicine, psychology, or psychiatry). Upon 
designation, verification of the physician's identity, and agreement by 
the physician to review the documents with the requester to explain the 
meaning of the documents and to offer counseling designed to mitigate 
any adverse reaction, the NRO will forward such records to the 
designated physician. If the requester refuses or fails to designate a 
physician, the record shall not be provided. Under such circumstances 
refusal of access is not considered a denial for Privacy Act reporting 
purposes. However, if the designated physician declines to furnish the 
records to the individual, the PA Coordinator will take action to 
ensure that the records are provided to the individual.


Sec. 326.12  Procedures to request amendment or correction of record.

    (a) An individual may request amendment or correction of a record 
pertaining to him/her by addressing such request in writing, to the 
Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee 
Road, Chantilly, VA 20151-1715. Incomplete or inaccurate requests will 
not be rejected categorically; instead, the requester will be asked to 
clarify the request as needed. A request will not be rejected or 
require resubmission unless additional information is essential to 
process the request. Usually, amendments under this part are limited to 
correcting factual errors and not matters of official judgment, such as 
promotion ratings and job performance appraisals. The requester must 
adequately support his claim and must identify:
    (1) The particular record he wishes to amend or correct, specifying 
the number of pages and documents, the titles of the documents, form 
numbers if any, dates on documents, and individuals who signed them. 
Any reasonable description of the documents is

[[Page 20379]]

acceptable. A clear and specific description of passages, pages, or 
documents to be amended will expedite processing the request.
    (2) The desired amending language. The requester should specify the 
type of amendment, including complete removal of data, passages, or 
documents from record or correction of information to make it accurate, 
more timely, complete, or relevant.
    (3) A justification for such amendment or correction to include any 
documentary evidence supporting the request.
    (b) Individuals will be required to provide verification of 
identity as in Sec. 326.8. to ensure that the requester is seeking to 
amend records pertaining to himself and not, inadvertently or 
intentionally, the records of another individual.
    (c) Minor factual errors in an individual's personal record may be 
corrected routinely upon request without resort to the Privacy Act or 
the provisions of this part, if the requester and the record holder 
agree to that procedure and the requester receives a copy of the 
corrected record whenever possible. A written request is not required 
when individuals indicate amendments during routine annual review and 
updating of records programs conducted by the NRO for civilian 
personnel and the Services for military personnel. Requests for 
deletion, removal of records, and amendment of substantive factual 
information will be processed according to the Privacy Act and the 
provisions of this part.
    (d) The PA Coordinator shall acknowledge receipt of the request in 
writing within ten working days. No separate acknowledgement of receipt 
is necessary if the request can be either approved or denied and the 
requester advised within the ten-day period. For written requests 
presented in person, written acknowledgement may be provided at the 
time the request is presented.
    (e) The PA Coordinator shall refer such request to the record-
holder components, shall advise those components of the date of 
receipt, and shall request that those components make a prompt 
determination on such request.
    (f) The record-holder components shall promptly:
    (1) Make any amendment or correction to any portion of the record 
which the individual believes is not accurate, relevant, timely, or 
complete and notify the PA Coordinator and all holders and recipients 
of such records and their amendments that the correction was made; or
    (2) Set forth the reasons for the refusal, if they determine that 
the requested amendment or correction will not be made or if they 
decline to make the requested amendment but instead augment the 
official record, and so inform the PA Coordinator.
    (g) The Privacy Act Coordinator shall:
    (1) Inform the requester of the agency's determination to make the 
amendment or correction as requested and notify all prior recipients of 
the change to the disputed records for which an accounting had been 
required; or
    (2) Inform the requester of the specific reasons and legal 
authorities for the agency's refusal and the procedures established for 
him to request a review of that refusal.
    (h) The amendment procedure is not intended to replace other 
existing procedures such as those for registering grievances or 
appealing performance appraisal reports. In such cases the requester 
will be apprised of the appropriate procedures for such actions.
    (i) This part does not permit the alteration of evidence presented 
to courts, boards, or other official proceedings.


Sec. 326.13  Procedures to appeal denial of amendment.

    (a) Any individual whose request for amendment or correction is 
denied may request a review of the initial decision within 60 calendar 
days of the date of the notification of denial by appealing within the 
NRO internal appeals process. If a requester elects to request NRO 
review, the request shall be sent in writing to the Privacy Act 
Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, 
VA 20151-1715, briefly identifying the particular record which is the 
subject of the request and setting forth the reasons for the appeal. 
The request should enclose a copy of the denial correspondence. The 
following procedures apply to appeals within the NRO:
    (1) The PA Coordinator, after acknowledging receipt of the appeal, 
shall promptly refer the appeal to the record-holding components, 
informing them of the date of receipt of the appeal and requesting that 
the component head or his designee review the appeal.
    (2) The record-holding components shall review the initial denial 
of access to the requested records and shall inform the PA Coordinator 
of their review determination.
    (3) The PA Coordinator shall act as secretary of the Appeals Panel. 
He shall:
    (i) Consolidate the component responses and reasons for the initial 
denial.
    (ii) Provide all supporting materials both furnished to and by the 
requester and the record-holding component.
    (iii) Review the record.
    (iv) Direct such additional inquiry or investigation as is deemed 
necessary to make a fair and equitable determination.
    (v) Prepare the record and schedule the appeal for the next meeting 
of the Appeals Panel. The Appeals Panel shall recommend a finding to 
the Appeal Authority by a majority vote of those present at the meeting 
based on the written record and the Panel's deliberations. No personal 
appearances shall be permitted without the express permission of the 
Panel.
    (4) The Appeal Authority shall notify the PA Coordinator of the 
result of the determination on the appeal who shall notify the 
individual of the determination in writing.
    (5) The Appeal Authority will notify the PA Coordinator if the 
determination is that the record should be amended. The PA Coordinator 
will promptly advise the requester and the office holding the record to 
amend the record and to notify all prior recipients of the records for 
which an accounting was required of the change.
    (6) If the determination upholds the initial denial, in whole or in 
part, the PA Coordinator shall inform the requester:
    (i) Of the denial and the reason.
    (ii) Of his right to file in NRO records within 60 calendar days a 
concise statement of the reasons for disputing the information 
contained in the record. If the requester elects to file a statement of 
disagreement, the PA Coordinator will be responsible for clearly noting 
any portion of the record that is disputed and for appending into the 
file the requester's statement as well as a copy of the NRO's letter to 
the requester denying the disputed information, if appropriate. The 
requester's statement and the NRO denial letter will be made available 
to anyone to whom the record is subsequently disclosed, and prior 
recipients of the disputed record will be provided a copy of both to 
the extent that an accounting of disclosures is maintained.
    (iii) Of his right to judicial review in U.S. District Court.
    (7) The Appeal Authority shall act on the appeal or provide a 
notice of extension within 30 working days.


Sec. 326.14  Disclosure of records to person other than subject.

    (a) Personal records contained in a Privacy Act system of records

[[Page 20380]]

maintained by NRO shall not be disclosed by any means to any person or 
agency outside the NRO except with the written consent of the 
individual subject of the record, unless as provided in this part.
    (b) Except for disclosure made to members of the NRO in connection 
with their official duties and disclosures required by the Freedom of 
Information Act, an accounting will be kept of all disclosures of 
records maintained in NRO systems of records and of all disclosures of 
investigative information. Accounting entries will record the date, 
kind of information, purpose of each disclosure, and the name and 
address of the person or agency to whom the disclosure is made. 
Accounting records will be maintained for at least five years after the 
last disclosure or for the life of the record, whichever is longer. 
Subjects of NRO records will be given access to associated accounting 
records upon request except for disclosures made pursuant to 
Sec. 326.4, or where an exemption has been properly claimed for the 
system of records.


Sec. 326.15  Fees.

    Individuals requesting copies of their official personnel records 
are entitled to one free copy; a charge will be assessed for additional 
copies. There is a cost of $.15 per page. Fees will not be assessed if 
the cost is less than $30.00. Fees should be paid by check or postal 
money order payable to the Treasurer of the United States and forwarded 
to the Privacy Act Coordinator, NRO, at the time the copy of the record 
is delivered. In some instances, fees will be due in advance.


Sec. 326.16  Penalties.

    Each request shall be treated as a certification by the requester 
that he is the individual named in the request. The Privacy Act 
provides criminal penalties for any person who knowingly and willfully 
requests or obtains any information concerning an individual under 
false pretenses.


Sec. 326.17  Exemptions.

    (a) All systems of records maintained by the NRO shall be exempt 
from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 
552a(k)(1) to the extent that the system contains any information 
properly classified under Executive Order 12958 and which is required 
by the Executive Order to be withheld in the interest of national 
defense of foreign policy. This exemption, which may be applicable to 
parts of all systems of records, is necessary because certain record 
systems not otherwise specifically designated for exemptions herein may 
contain items of information that have been properly classified.
    (b) No system of records within the NRO shall be considered exempt 
under subsection (j) or (k) of the Privacy Act until the exemption and 
the exemption rule for the system of records has been published as a 
final rule in the Federal Register.
    (c) An individual is not entitled to have access to any information 
compiled in reasonable anticipation of a civil action or proceeding (5 
U.S.C. 552a(d)(5)).
    (d) Proposals to exempt a system of records will be forwarded to 
the Defense Privacy Office, consistent with the requirements of 32 CFR 
part 310, for review and action.

    Dated: April 11, 2000.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 00-9417 Filed 4-14-00; 8:45 am]
BILLING CODE 5001-10-F