[Federal Register Volume 68, Number 14 (Wednesday, January 22, 2003)]
[Proposed Rules]
[Pages 2923-2929]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-1100]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 68, No. 14 / Wednesday, January 22, 2003 / 
Proposed Rules

[[Page 2923]]



OFFICE OF GOVERNMENT ETHICS

5 CFR Part 2606

RIN 3209-AA18


Privacy Act Rules

AGENCY: Office of Government Ethics (OGE).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Government Ethics is issuing a proposed rule 
that would establish procedures relating to access, maintenance, 
disclosure, and amendment of records which are in OGE systems of 
records under the Privacy Act of 1974, and that would establish rules 
of conduct for OGE personnel who have responsibilities under that Act.

DATES: Public comments are invited and must be received by March 24, 
2003.

ADDRESSES: Comments should be sent to the Office of Government Ethics, 
Suite 500, 1201 New York Avenue, NW., Washington, DC 20005-3917, 
Attention: Ms. Newton. Electronic comments may also be sent to OGE's 
Internet E-mail address at [email protected] (such comments should include 
the caption ``Proposed Privacy Act Rules'').

FOR FURTHER INFORMATION CONTACT: Elaine Newton, Attorney-Advisor, 
Office of Government Ethics, telephone: 202-208-8000, extension 1137; 
TDD: 202-208-8025; FAX: 202-208-8037.

SUPPLEMENTARY INFORMATION: The Privacy Act of 1974, at 5 U.S.C. 
552a(f), requires every agency that maintains a system of records 
covered by the Privacy Act to promulgate regulations that: (1) 
Establish procedures whereby an individual can be notified in response 
to his request if any system of records named by the individual 
contains a record pertaining to him; (2) define reasonable times, 
places, and requirements for identifying an individual who requests his 
record or information pertaining to him before the agency shall make 
the record or information available to the individual; (3) establish 
procedures for the disclosure to the data subject upon his request of 
his record or information pertaining to him, including special 
procedures if deemed necessary, for the disclosure to the data subject 
of medical records, including psychological records, pertaining to him; 
(4) establish procedures for reviewing a request from the data subject 
concerning the amendment of any record or information pertaining to the 
data subject, for making a determination on the request, for an appeal 
within the agency of an initial adverse agency determination, and for 
whatever additional means may be necessary for each data subject to be 
able to exercise fully his rights under the Privacy Act; and (5) 
establish fees to be charged, if any, to any individual for making 
copies of his record, excluding the cost of the first copy of the 
record provided as well as the cost of any search for and review of the 
record. In addition, section 552a(e)(9) of the Privacy Act requires an 
agency to establish rules of conduct for persons involved in the 
design, development, operation, or maintenance of any system of 
records, or in maintaining any record, and instruct each such person 
with respect to such rules and the requirements of the Act, including 
any other rules and procedures adopted pursuant to the Act and the 
penalties for noncompliance.
    The Privacy Act, at 5 U.S.C. 552a(e)(4), also requires each agency 
that maintains a system of records to publish in the Federal Register 
upon establishment or revision a notice of the existence and character 
of the system of records. In a separate notice published in the Federal 
Register today, OGE is proposing to revise and rename two existing 
Government-wide systems of records under the Privacy Act covering 
Executive Branch Personnel Public Financial Disclosure Reports and 
Other Name-Retrieved Ethics Program Records (OGE/GOVT-1) and Executive 
Branch Confidential Financial Disclosure Reports (OGE/GOVT-2). In 
addition, OGE is issuing, for the first time, five internal systems of 
records to cover current and former OGE employees: Pay, Leave and 
Travel Records (OGE/INTERNAL-1), Telephone Call Detail Records (OGE/
INTERNAL-2), Grievance Records (OGE/INTERNAL-3), Computer Systems 
Activity and Access Records (OGE/INTERNAL-4), and Employee Locator and 
Emergency Notification Records (OGE/INTERNAL-5).

I. General Provisions

    As proposed, subpart A of the rule would contain general provisions 
setting forth the purpose of the regulation (Sec.  2606.101), 
definitions that apply throughout the part (Sec.  2606.102), and a 
description of OGE's executive branch Governmentwide and internal 
systems of records (Sec.  2606.103). As proposed, subpart A of the rule 
would also specify OGE and agency responsibilities for the records 
systems (Sec.  2606.104), and would establish procedures whereby an 
individual can be notified in response to his request if any OGE system 
of records named by the individual contains a record pertaining to him 
(Sec.  2606.105).
    In addition, subpart A would set forth Privacy Act rules of conduct 
and responsibilities for OGE employees who design, develop, operate, or 
maintain a system of records (Sec.  2606.106). These conduct and 
responsibilities rules would not apply to employees of other agencies 
concerned; they would be subject to their own agency's Privacy Act 
conduct and responsibilities rules. These conduct and responsibilities 
rules are authorized by subsection (e)(9) of the Privacy Act, and 
therefore are separate from the Standards of Ethical Conduct in 5 CFR 
part 2635. Various provisions in the Standards of Ethical Conduct 
(e.g., 5 CFR 2635.703 regarding use of nonpublic information) would 
also apply to an employee's conduct as to records covered by the 
Privacy Act.
    Overall, these proposed OGE Privacy Act rules would apply both to 
records in the new OGE internal systems of records as maintained by OGE 
itself, as well as the newly updated and revised OGE executive branch 
Governmentwide systems of records which are maintained both by OGE and 
departments and agencies throughout the executive branch. With respect 
to those other departments and agencies, these proposed regulations 
would set forth the overall procedures for the Governmentwide systems, 
while recognizing that most agencies have their own Privacy Act 
regulations specifying appropriate appeals officials for access and 
amendment denials as well as schedules of fees. The details of these 
agency variations are set forth in

[[Page 2924]]

the relevant proposed sections of the regulatory text, rather than 
here.

II. Access to Records and Accounting of Disclosures

    Subpart B of the rule, as proposed, describes the access process, 
and the accounting of disclosures process. Section 2606.201 would 
detail what a requester would have to submit to obtain access to a 
record pertaining to him in a system of records. Section 2606.202 would 
set forth the procedures when a request for access is received. Section 
2606.203 would set forth the procedures for granting access, including 
the forms of identification necessary to gain access to requested 
records. Section 2606.203 would also state how a record in a system of 
records may be accessed on behalf of a minor, by a legal guardian, when 
the requester is accompanied by another individual, or when the request 
is for certain medical records. Section 2606.204 would describe the 
procedure for appealing a denial of an initial request for access to a 
record or a no record response. Section 2606.205 would describe what 
should be included in the official decision on an appeal from an 
initial denial of access. Section 2606.206 would set the fees that may 
be charged by the Office (or another agency not having its own Privacy 
Act fee schedule) for making copies of a record. Section 2606.207 would 
describe the accounting of disclosures that are kept with respect to 
OGE's systems of records.

III. Amendment of Records

    As proposed, subpart C of the rule explains how a data subject may 
seek to amend his record. Section 2606.301 would set forth the 
procedures for requesting a record be amended, including the 
information that must be contained in the request, and would state that 
the requester has the burden of proof to justify an amendment request. 
Section 2606.302 would set forth the procedures to be followed when an 
amendment request is received.
    If a request to amend a record is denied, the requester would be 
able to appeal the denial by following the procedures that would be set 
forth in Sec.  2606.303. Section 2606.304 would set forth the 
procedures for responding to an appeal from an initial denial of a 
request to amend a record. Section 2606.304 also would set forth the 
information that should be included in the official appeal 
determination. Finally, Sec.  2606.304(d) would provide procedures for 
a data subject to file a concise statement setting forth the reasons 
for his disagreement with the refusal to amend his records.

IV. Matters of Regulatory Procedure

Administrative Procedure Act

    This proposed rulemaking is in compliance with the Administrative 
Procedure Act (5 U.S.C. 553) and allows for a 60-day comment period. 
Interested persons are invited to submit written comments to the Office 
of Government Ethics on this proposed regulation, to be received on or 
before March 24, 2003. The Office of Government Ethics will review all 
comments received and consider making any modifications to this 
proposed rule that appear warranted in issuing its final rule.

Executive Order 12866

    In promulgating this proposed rule, the Office of Government Ethics 
has adhered to the regulatory philosophy and the applicable principles 
of regulation set forth in section 1 of Executive Order 12866, 
Regulatory Planning and Review. This proposed rule has also been 
approved by the Office of Management and Budget under the Executive 
Order.

Executive Order 12988

    As Director of the Office of Government Ethics, I have reviewed 
this proposed rule in light of section 3 of Executive Order 12988, 
Civil Justice Reform, and certify that it meets the applicable 
standards provided therein.

Regulatory Flexibility Act

    As Director of the Office of Government Ethics, I certify under the 
Regulatory Flexibility Act (5 U.S.C. chapter 6) that this proposed rule 
will not have a significant economic impact on a substantial number of 
small entities, because it will primarily affect current and former 
executive branch Federal employees.

Unfunded Mandates Reform Act

    For purposes of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 
chapter 25, subpart II), the proposed rule would not significantly or 
uniquely affect small governments and would not result in increased 
expenditures by State, local, and tribal governments, in the aggregate, 
or by the private sector, of $100 million or more (as adjusted for 
inflation) in any one year.

Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) does not apply 
to this proposed rule because it does not contain information 
collection requirements that require the approval of the Office of 
Management and Budget.

Congressional Review Act

    The Office of Government Ethics has determined that this proposed 
rulemaking involves a nonmajor rule under the Congressional Review Act 
(5 U.S.C. chapter 8) and will, before the future final rule takes 
effect, submit a report thereon to the U.S. Senate, House of 
Representatives and General Accounting Office in accordance with that 
law.

List of Subjects in 5 CFR Part 2606

    Administrative practice and procedure, Archives and records, 
Conflict of interests, Government employees, Privacy Act.

    Approved: January 10, 2003.
Amy L. Comstock,
Director, Office of Government Ethics.

    Accordingly, for the reasons set forth in the preamble, the Office 
of Government Ethics is proposing to amend subchapter A of chapter XVI 
of title 5 of the Code of Federal Regulations by adding part 2606 to 
read as follows:

PART 2606--PRIVACY ACT RULES

Subpart A--General Provisions
Sec.
2606.101 Purpose.
2606.102 Definitions.
2606.103 Systems of records.
2606.104 OGE and agency responsibilities.
2606.105 Rules for individuals seeking to ascertain if they are the 
subject of a record.
2606.106 OGE employee Privacy Act rules of conduct and 
responsibilities.
Subpart B--Access to Records and Accounting of Disclosures
2606.201 Requests for access.
2606.202 OGE or other agency action on requests.
2606.203 Granting access.
2606.204 Request for review of an initial denial of access.
2606.205 Response to a request for review of an initial denial of 
access.
2606.206 Fees.
2606.207 Accounting of disclosures.
Subpart C--Amendment of Records
2606.301 Requests to amend records.
2606.302 OGE or other agency action on requests.
2606.303 Request for review of an initial refusal to amend a record.
2606.304 Response to a request for review of a refusal to amend; 
disagreement statements.

    Authority: 5 U.S.C. 552a, 5 U.S.C. App. (Ethics in Government 
Act of 1978).

[[Page 2925]]

Subpart A--General Provisions


Sec.  2606.101  Purpose.

    This part sets forth the regulations of the Office of Government 
Ethics (OGE) implementing the Privacy Act of 1974, as amended (5 U.S.C. 
552a). It governs access, maintenance, disclosure, and amendment of 
records contained in OGE's executive branch Governmentwide and internal 
systems of records, and establishes rules of conduct for OGE employees 
who have responsibilities under the Act.


Sec.  2606.102  Definitions.

    For the purpose of this part, the terms listed below are defined as 
follows:
    Access means providing a copy of a record to, or allowing review of 
the original record by, the data subject or the requester's authorized 
representative, parent or legal guardian;
    Act means the Privacy Act of 1974, as amended, 5 U.S.C. 552a;
    Amendment means the correction, addition, deletion, or destruction 
of a record or specific portions of a record;
    Data subject means the individual to whom the information pertains 
and by whose name or other individual identifier the information is 
maintained or retrieved;
    He, his, and him include she, hers and her.
    Office or OGE means the U.S. Office of Government Ethics;
    System manager means the Office or other agency official who has 
the authority to decide Privacy Act matters relative to a system of 
records;
    System of records means a group of any records containing personal 
information controlled and managed by OGE from which information is 
retrieved by the name of an individual or by some personal identifier 
assigned to that individual;
    Working day as used in calculating the date when a response is due 
means calendar days, excepting Saturdays, Sundays, and legal public 
holidays.


Sec.  2606.103  Systems of records.

    (a) Governmentwide systems of records. The Office of Government 
Ethics maintains two executive branch Governmentwide systems of 
records: the OGE/GOVT-1 system of records, comprised of Executive 
Branch Personnel Public Financial Disclosure Reports and Other Name-
Retrieved Ethics Program Records; and the OGE/GOVT-2 system of records, 
comprised of Executive Branch Confidential Financial Disclosure 
Reports. These Governmentwide systems of records are maintained by OGE, 
and through Office delegations of authority, by Federal executive 
branch departments and agencies with regard to their own employees, 
applicants for employment, individuals nominated to a position 
requiring Senate confirmation, candidates for a position, and former 
employees.
    (b) OGE Internal systems of records. The Office of Government 
Ethics internal systems of records are under OGE's physical custody and 
control and are established and maintained by the Office on current and 
former OGE employees regarding matters relating to the internal 
management of the Office. These systems of records consist of the OGE/
INTERNAL-1 system, comprised of Pay, Leave and Travel Records; the OGE/
INTERNAL-2 system, comprised of Telephone Call Detail Records; the OGE/
INTERNAL-3 system, comprised of Grievance Records; the OGE/INTERNAL-4 
system, comprised of Computer Systems Activity and Access Records; and 
the OGE/INTERNAL-5 system, comprised of Employee Locator and Emergency 
Notification Records.


Sec.  2606.104  OGE and agency responsibilities.

    (a) The procedures in this part apply to:
    (1) All initial Privacy Act access and amendment requests regarding 
records contained in an OGE system of records.
    (2) Administrative appeals from an Office or agency denial of an 
initial request for access to, or to amend, records contained in an OGE 
system of records.
    (b) For records contained in an OGE Governmentwide system of 
records, each agency is responsible (unless specifically excepted by 
the Office) for responding to initial requests for access or amendment 
of records in its custody and administrative appeals of denials 
thereof.
    (c) For records and material of another agency that are in the 
custody of OGE, but not under its control or ownership, OGE may refer a 
request for the records to that other agency, consult with the other 
agency prior to responding, or notify the requester that the other 
agency is the proper agency to contact.


Sec.  2606.105  Rules for individuals seeking to ascertain if they are 
the subject of a record.

    An individual seeking to ascertain if any OGE system of records 
contains a record pertaining to him must follow the access procedures 
set forth at Sec.  2606.201(a) and (b).


Sec.  2606.106  OGE employee Privacy Act rules of conduct and 
responsibilities.

    Each OGE employee involved in the design, development, operation, 
or maintenance of any system of records, or in maintaining any record 
covered by the Privacy Act, shall comply with the pertinent provisions 
of the Act relating to the treatment of such information. Particular 
attention is directed to the following provisions of the Privacy Act:
    (a) 5 U.S.C. 552a(e)(7)--The requirement to maintain in a system of 
records no record describing how any individual exercises rights 
guaranteed by the First Amendment of the Constitution of the United 
States unless expressly authorized by statute or by the individual 
about whom the record is maintained or unless pertinent to and within 
the scope of an authorized law enforcement activity.
    (b) 5 U.S.C. 552a(b)--The requirement that no agency shall disclose 
any record which is contained in a system of records by any means of 
communication to any person or to another agency, except pursuant to a 
written request by, or with the prior written consent of, the 
individual to whom the record pertains, except under certain limited 
conditions specified in subsections (b)(1) through (b)(12) of the 
Privacy Act.
    (c) 5 U.S.C. 552a(e)(1)--The requirement for an agency to maintain 
in its systems of records only such information about an individual as 
is relevant and necessary to accomplish a purpose of the agency 
required to be accomplished by statute or by Executive order.
    (d) 5 U.S.C. 552a(e)(2)--The requirement to collect information to 
the greatest extent practicable directly from the subject individual 
when the information may result in adverse determinations about an 
individual's rights, benefits, and privileges under Federal programs.
    (e) 5 U.S.C. 552a(e)(3)--The requirement to inform each individual 
asked to supply information to be maintained in a system of records the 
authority which authorizes the solicitation of the information and 
whether disclosure of such information is mandatory or voluntary; the 
principal purpose or purposes for which the information is intended to 
be used; the routine uses which may be made of the information; and the 
effects on the individual, if any, of not providing all or any part of 
the requested information.
    (f) 5 U.S.C. 552a(b) and (e)(10)--The requirement to comply with 
established safeguards and procedures to ensure the security and 
confidentiality of records and to protect personal data from any 
anticipated threats or hazards to their security or integrity which 
could result in substantial harm, embarrassment, inconvenience, or 
unfairness to an individual on whom information is maintained in a 
system of records.

[[Page 2926]]

    (g) 5 U.S.C. 552a(c)(1), (c)(2) and (c)(3)--The requirement to 
maintain an accounting of specified disclosures of personal information 
from systems of records in accordance with established Office 
procedures.
    (h) 5 U.S.C. 552a(e)(5) and (e)(6)--The requirements to maintain 
all records in a system of records which are used by the agency in 
making any determination about an individual with such accuracy, 
relevance, timeliness, and completeness as is reasonably necessary to 
assure fairness to the individual in the determination; and to make 
reasonable efforts to assure that such records are accurate, complete, 
timely, and relevant for agency purposes, prior to disseminating any 
record about an individual to any person other than an agency (unless 
the dissemination is required by the Freedom of Information Act, 5 
U.S.C. 552).
    (i) 5 U.S.C. 552a(d)(1), (d)(2) and (d)(3)--The requirement to 
permit individuals to have access to records pertaining to themselves 
in accordance with established Office procedures and to have an 
opportunity to request that such records be amended.
    (j) 5 U.S.C. 552a(c)(4) and (d)(4)--The requirement to inform any 
person or other agency about any correction or notation of dispute made 
by the agency in accordance with subsection (d) of the Act of any 
record that has been disclosed to the person or agency if an accounting 
of the disclosure was made; and, in any disclosure of information about 
which an individual has filed a statement of disagreement, to note 
clearly any portion of the record which is disputed and to provide 
copies of the statement (and if the agency deems it appropriate, copies 
of a concise statement of the reasons of the agency for not making the 
amendments requested) to persons or other agencies to whom the disputed 
record has been disclosed.
    (k) 5 U.S.C. 552a(n)--The requirement for an agency not to sell or 
rent an individual's name or address, unless such action is 
specifically authorized by law.
    (l) 5 U.S.C. 552a(i)--The criminal penalties to which an employee 
may be subject for failing to comply with certain provisions of the 
Privacy Act.

Subpart B--Access to Records and Accounting of Disclosures


Sec.  2606.201  Requests for access.

    (a) Records in an OGE Governmentwide system of records. An 
individual requesting access to records pertaining to him in an OGE 
Governmentwide system of records should submit a written request, which 
includes the words ``Privacy Act Request'' on both the envelope and at 
the top of the request letter, to the appropriate system manager as 
follows:
    (1) Records filed directly with OGE by non-OGE employees: The 
Deputy Director, Office of Agency Programs, Office of Government 
Ethics, Suite 500, 1201 New York Avenue, NW., Washington, DC 20005-
3917;
    (2) Records filed with a Designated Agency Ethics Official (DAEO) 
or the head of a department or agency: The DAEO at the department or 
agency concerned; or
    (3) Records filed with the Federal Election Commission by 
candidates for President or Vice President: The General Counsel, Office 
of General Counsel, Federal Election Commission, 999 E Street, NW., 
Washington, DC 20463.
    (b) Records in an OGE Internal System of Records. An individual 
requesting access to records pertaining to him in an OGE internal 
system of records should submit a written request, which includes the 
words ``Privacy Act Request'' on both the envelope and at the top of 
the request letter, to the Deputy Director, Office of Administration 
and Information Management, Office of Government Ethics, Suite 500, 
1201 New York Avenue, NW., Washington, DC 20005-3917.
    (c) Content of request. (1) A request should contain a specific 
reference to the OGE system of records from which access to the records 
is sought. Notices of OGE systems of records subject to the Privacy Act 
are published in the Federal Register, and copies of the notices are 
available on OGE's Web site at http://www.usoge.gov, or upon request 
from OGE's Office of General Counsel and Legal Policy. A biennial 
compilation of such notices also is made available online and published 
by the Office of Federal Register at the GPO Access Web site (http://www.access.gpo.gov/su_docs/aces/PrivacyAct.shtml) in accordance with 5 
U.S.C. 552a(f) of the Act.
    (2) If the written inquiry does not refer to a specific system of 
records, it should include other information that will assist in the 
identification of the records for which access is being requested. Such 
information may include, for example, the individual's full name 
(including her maiden name, if pertinent), dates of employment, social 
security number (if any records in the system include this identifier), 
current or last place and date of Federal employment. If the request 
for access follows a prior request to determine if an individual is the 
subject of a record, the same identifying information need not be 
included in the request for access if a reference is made to that prior 
correspondence, or a copy of the response to that request is attached.
    (3) The request should state whether the requester wants a copy of 
the record, or wants to examine the record in person.


Sec.  2606.202  OGE or other agency action on requests.

    A response to a request for access should include the following:
    (a) A statement that there is a record or records as requested or a 
statement that there is not a record in the system of records;
    (b) The method of access (if a copy of all the records requested is 
not provided with the response);
    (c) The amount of any fees to be charged for copies of records 
under Sec.  2606.206 of this part or other agencies' Privacy Act 
regulations as referenced in that section;
    (d) The name, title, and telephone number of the official having 
operational control over the record; and
    (e) If the request is denied in whole or in part, or no record is 
found in the system, a statement of the reasons for the denial, or a 
statement that no record has been found, and notice of the procedures 
for appealing the denial or no record finding.


Sec.  2606.203  Granting access.

    (a) The methods for allowing access to records, when such access 
has been granted by OGE or the other agency concerned are:
    (1) Examination in person in a designated office during the hours 
specified by OGE or the other agency;
    (2) Providing photocopies of the records; or
    (3) Transfer of records at the option of OGE or the other agency to 
another more convenient Federal facility.
    (b) When a requester has not indicated whether he wants a copy of 
the record, or wants to examine the record in person, the appropriate 
system manager may choose the means of granting access. However, the 
means chosen should not unduly impede the data subject's right of 
access. A data subject may elect to receive a copy of the records after 
having examined them.
    (c) Generally, OGE or the other agency concerned will not furnish 
certified copies of records. When copies are to be furnished, they may 
be provided as determined by OGE or the other agency and may require 
payment of any fee levied in accordance with an established fee 
schedule.
    (d) When the data subject seeks to obtain original documentation, 
the

[[Page 2927]]

Office and the other agencies concerned reserve the right to limit the 
request to copies of the original records. Original records should be 
made available for review only in the presence of the appropriate 
system manager or his designee.

    Note to paragraph (d) of Sec.  2606.203: Section 2071(a) of 
title 18 of the United States Code makes it a crime to conceal, 
remove, mutilate, obliterate, or destroy any record filed in a 
public office, or to attempt to do so.

    (e) Identification requirements--(1) Access granted in person--(i) 
Current or former employees. Current or former employees requesting 
access to records pertaining to them in a system of records may, in 
addition to the other requirements of this section, and at the sole 
discretion of the official having operational control over the record, 
have their identity verified by visual observation. If the current or 
former employee cannot be so identified by the official having 
operational control over the records, adequate identification 
documentation will be required, e.g., an employee identification card, 
driver's license, passport, or other officially issued document with a 
picture of the person requesting access.
    (ii) Other than current or former employees. Individuals other than 
current or former employees requesting access to records pertaining to 
them in a system of records must produce adequate identification 
documentation prior to being granted access. The extent of the 
identification documentation required will depend on the type of 
records to be accessed. In most cases, identification verification will 
be accomplished by the presentation of two forms of identification with 
a picture of the person requesting access (such as a driver's license 
and passport). Any additional requirements are specified in the system 
notices published pursuant to subsection (e)(4) of the Act.
    (2) Access granted by mail. For records to be accessed by mail, the 
appropriate system manager shall, to the extent possible, establish 
identity by a comparison of signatures in situations where the data in 
the record is not so sensitive that unauthorized access could cause 
harm or embarrassment to the individual to whom they pertain. No 
identification documentation will be required for the disclosure to the 
data subject of information required to be made available to the public 
by 5 U.S.C. 552, the Freedom of Information Act. When, in the opinion 
of the system manager, the granting of access through the mail could 
reasonably be expected to result in harm or embarrassment if disclosed 
to a person other than the individual to whom the record pertains, a 
notarized statement of identity or some similar assurance of identity 
may be required.
    (3) Unavailability of identification documentation. If an 
individual is unable to produce adequate identification documentation, 
the individual will be required to sign a statement asserting identity 
and acknowledging that knowingly or willfully seeking or obtaining 
access to records about another person under false pretenses may result 
in a criminal fine of up to $5,000 under subsection (i)(3) of the Act. 
In addition, depending upon the sensitivity of the records sought to be 
accessed, the appropriate system manager or official having operational 
control over the records may require such further reasonable assurances 
as may be considered appropriate, e.g., statements of other individuals 
who can attest to the identity of the data subject. No verification of 
identity will be required of data subjects seeking access to records 
which are otherwise available to any person under 5 U.S.C. 552.
    (4) Inadequate identification. If the official having operational 
control over the records in a system of records determines that an 
individual seeking access has not provided sufficient identification 
documentation to permit access, the official shall consult with the 
appropriate system manager prior to denying the individual access. 
Whenever the system manager determines, in accordance with the 
procedures herein, that access will not be granted, the response will 
also include a statement of the procedures to obtain a review of the 
decision to deny access in accordance with Sec.  2606.205.
    (f) Access by the parent of a minor, or legal guardian. A parent of 
a minor, upon presenting suitable personal identification as otherwise 
provided under this section, may access on behalf of the minor any 
record pertaining to the minor in a system of records. A legal 
guardian, upon presentation of documentation establishing guardianship 
and suitable personal identification as otherwise provided under this 
section, may similarly act on behalf of a data subject declared to be 
incompetent due to physical or mental incapacity or age by a court of 
competent jurisdiction. Minors are not precluded from exercising on 
their own behalf rights given to them by the Privacy Act.
    (g) Accompanying individual. A data subject requesting access to 
his records in a system of records may be accompanied by another 
individual of the data subject's choice during the course of the 
examination of the record. The official having operational control of 
the record may require the data subject making the request to submit a 
signed statement authorizing the accompanying individual's access to 
the record.
    (h) Access to medical records. When a request for access involves 
medical or psychological records that the appropriate system manager 
believes requires special handling, the data subject should be advised 
that the material will be provided only to a physician designated by 
the data subject. Upon receipt of the designation and upon verification 
of the physician's identity as otherwise provided under this section, 
the records will be made available to the physician, who will disclose 
those records to the data subject.
    (i) Exclusion. Nothing in these regulations permits a data 
subject's access to any information compiled in reasonable anticipation 
of a civil action or proceeding (see subsection (d)(5) of the Act).
    (j) Maximum access. This regulation is not intended to preclude 
access by a data subject to records that are available to that 
individual under other processes, such as the Freedom of Information 
Act (5 U.S.C. 552) or the rules of civil or criminal procedure, 
provided that the appropriate procedures for requesting access 
thereunder are followed.


Sec.  2606.204  Request for review of an initial denial of access.

    (a)(1) A data subject may submit a written appeal of the decision 
by OGE or the other agency to deny an initial request for access to 
records or a no record response.
    (i) For records filed directly with OGE, the appeal must be 
submitted to the Director, Office of Government Ethics, Suite 500, 1201 
New York Avenue, NW., Washington, DC 20005-3917.
    (ii) For records in OGE's executive branch Governmentwide systems 
of records that are filed directly with an agency (including the 
Federal Election Commission) other than OGE, the appeal must be 
submitted to the Privacy Act access appeals official as specified in 
the agency's own Privacy Act regulations or the respective head of the 
agency concerned if it does not have any Privacy Act regulations.
    (2) The words ``Privacy Act Appeal'' should be included on the 
envelope and at the top of the letter of appeal.
    (b) The appeal should contain a brief description of the records 
involved or copies of the correspondence from OGE

[[Page 2928]]

or the agency in which the initial request for access was denied. The 
appeal should attempt to refute the reasons given by OGE or the other 
agency concerned in its decision to deny the initial request for access 
or the no record finding.


Sec.  2606.205  Response to a request for review of an initial denial 
of access.

    (a) If the OGE Director or agency reviewing official determines 
that access to the records should be granted, the response will state 
how access will be provided if the records are not included with the 
response.
    (b) Any decision that either partially or fully affirms the initial 
decision to deny access shall inform the requester of the right to seek 
judicial review of the decision in accordance with 5 U.S.C. 552a(g) of 
the Privacy Act.


Sec.  2606.206  Fees.

    (a) Fees for records filed with OGE--(1) Services for which fees 
will not be charged:
    (i) The search and review time expended by OGE to produce a record;
    (ii) The first copy of the records provided; or
    (iii) The Office of Government Ethics making the records available 
to be personally reviewed by the data subject.
    (2) Additional copies of records. When additional copies of records 
are requested, an individual may be charged $.15 per page.
    (i) Notice of anticipated fees in excess of $25.00. If the charge 
for these additional copies amounts to more than $25.00, the requester 
will be notified and payment of fees may be required before the 
additional copies are provided, unless the requester has indicated in 
advance his willingness to pay fees as high as those anticipated.
    (ii) Advance payments. An advance payment before additional copies 
of the records are made will be required if:
    (A) The Office estimates or determines that the total fee to be 
assessed under this section is likely to exceed $250.00. When a 
determination is made that the allowable charges are likely to exceed 
$250.00, the requester will be notified of the likely cost and will be 
required to provide satisfactory assurance of full payment where the 
requester has a history of prompt payment of Privacy Act fees, or will 
be required to submit an advance payment of an amount up to the full 
estimated charges in the case of requesters with no history of payment; 
or
    (B) The requester has previously failed to pay a fee charged in a 
timely fashion (i.e., within 30 days of the date of the billing). In 
such cases, the requester may be required to pay the full amount owed 
plus any applicable interest as provided by paragraph (a)(2)(iii) of 
this section, and to make an advance payment of the full amount of the 
estimated fee before the Office begins to process a new request.
    (iii) Interest charges. Interest charges on an unpaid bill may be 
assessed starting on the 31st day following the day on which the 
billing was sent. Interest shall be at the rate prescribed in 31 U.S.C. 
3717 and shall accrue from the date of billing. To collect unpaid 
bills, the Office will follow the provisions of the Debt Collection Act 
of 1982, as amended (96 Stat. 1749 et seq.) and the Debt Collection 
Improvement Act of 1996 (110 Stat. 1321-358 et seq.), including the use 
of consumer reporting agencies, collection agencies, and offset.
    (iv) Remittance. Remittance should be made by either a personal 
check, bank draft or a money order that is payable to the Department of 
the Treasury of the United States.
    (b) Fees for records filed with agencies other than OGE. An agency 
shall apply its own Privacy Act fee schedule for records in OGE's 
executive branch Governmentwide systems that are filed directly with 
the agency. An agency that does not have a Privacy Act fee schedule may 
apply the fee schedule in this section.


Sec.  2606.207  Accounting of disclosures.

    (a) The Office of Government Ethics or the other agency concerned 
will maintain an accounting of disclosures in cases where records about 
the data subject are disclosed from OGE's system of records except--
    (1) When the disclosure is made pursuant to the Freedom of 
Information Act, as amended (5 U.S.C. 552); or
    (2) When the disclosure is made to those officers and employees of 
OGE or the other agency which maintains the records who have a need for 
the records in the performance of their duties.
    (b) This accounting of disclosures will be retained for at least 
five years or for the life of the record, whichever is longer, and will 
contain the following information:
    (1) A brief description of the record disclosed;
    (2) The date, nature, and purpose for the disclosure; and
    (3) The name and address of the individual, agency, or other entity 
to whom the disclosure is made.
    (c) Under sections 102 and 105 of the Ethics in Government Act, 18 
U.S.C. 208(d) and 5 CFR parts 2634 and 2640 of OGE's executive branch 
regulations, a requester other than the data subject must submit a 
signed, written application on the OGE Form 201 or agency equivalent 
form to inspect or receive copies of certain records, such as SF 278 
Public Financial Disclosure Reports, Certificates of Divestiture, 18 
U.S.C. 208(b)(1) and (b)(3) waivers, and OGE certified qualified blind 
and diversified trust instruments and other publicly available 
qualified trust materials. The written application requests the name, 
occupation and address of the requester as well as lists the 
prohibitions on obtaining or using the records. These applications are 
used as the accounting of disclosures for these records.
    (d) Except for the accounting of a disclosure made under subsection 
(b)(7) of the Privacy Act for a civil or criminal law enforcement 
activity that is authorized by law, the accounting of disclosures will 
be made available to the data subject upon request in accordance with 
the access procedures of this part.

Subpart C--Amendment of Records


Sec.  2606.301  Requests to amend records.

    (a) Amendment request. A data subject seeking to amend a record or 
records that pertain to him in a system of records must submit his 
request in writing in accordance with the following procedures, unless 
this requirement is waived by the appropriate system manager. Records 
not subject to the Privacy Act will not be amended in accordance with 
these provisions.
    (b) Addresses--(1) Records in an OGE Governmentwide system of 
records. A request to amend a record in an OGE Governmentwide system of 
records should be sent to the appropriate system manager as follows:
    (i) Records filed directly with OGE by non-OGE employees: The 
Deputy Director, Office of Agency Programs, Office of Government 
Ethics, Suite 500, 1201 New York Avenue, NW., Washington, DC 20005-
3917;
    (ii) Records filed with a Designated Agency Ethics Official (DAEO) 
or the head of a department or agency: The DAEO at the department or 
agency concerned; or
    (iii) Records filed with the Federal Election Commission by 
candidates for President or Vice President: The General Counsel, Office 
of General Counsel, Federal Election Commission, 999 E Street, NW., 
Washington, DC 20463.
    (2) Records in an OGE internal system of records. A request to 
amend a record in an OGE Internal system of records should include the 
words ``Privacy Act Amendment Request'' on both the envelope and at the 
top of the request letter, and should be sent to the Deputy

[[Page 2929]]

Director, Office of Administration and Information Management, Office 
of Government Ethics, Suite 500, 1201 New York Avenue, NW., Washington, 
DC 20005-3917.
    (c) Contents of request. (1) A request to amend a record in an OGE 
Governmentwide system of records or an OGE internal system of records 
should include the words ``Privacy Act Amendment Request'' on both the 
envelope and at the top of the request letter.
    (2) The name of the system of records and a brief description of 
the record(s) proposed for amendment must be included in any request 
for amendment. In the event the request to amend the record(s) is the 
result of the data subject's having gained access to the record(s) in 
accordance with the provisions concerning access to records as set in 
subpart B, copies of previous correspondence between the requester and 
OGE or the agency will serve in lieu of a separate description of the 
record.
    (3) The exact portion of the record(s) the data subject seeks to 
have amended should be indicated clearly. If possible, proposed 
alternative language should be set forth, or, at a minimum, the reasons 
why the data subject believes his record is not accurate, relevant, 
timely, or complete should be set forth with enough particularity to 
permit OGE or the other agency concerned not only to understand the 
data subject's basis for the request, but also to make an appropriate 
amendment to the record.
    (d) Burden of proof. The data subject has the burden of proof when 
seeking the amendment of a record. The data subject must furnish 
sufficient facts to persuade the appropriate system manager of the 
inaccuracy, irrelevance, untimeliness, or incompleteness of the record.
    (e) Identification requirement. When the data subject's identity 
has been previously verified pursuant to Sec.  2606.203, further 
verification of identity is not required as long as the communication 
does not suggest a need for verification. If the data subject's 
identity has not been previously verified, the appropriate system 
manager may require identification validation as described in Sec.  
2606.203.


Sec.  2606.302  OGE or other agency action on requests.

    (a) Time limit for acknowledging a request for amendment. To the 
extent possible, OGE or the other agency concerned will acknowledge 
receipt of a request to amend a record or records within 10 working 
days.
    (b) Initial determination on an amendment request. The decision of 
OGE or the other agency in response to a request for amendment of a 
record in a system of records may grant in whole, or deny any part of 
the request to amend the record(s).
    (1) If OGE or the other agency concerned grants the request, the 
appropriate system manager will amend the record(s) and provide a copy 
of the amended record(s) to the data subject. Where an accounting of 
disclosure has been maintained, the system manager shall advise all 
previous recipients of the record that an amendment has been made and 
give the substance of the amendment. Where practicable, the system 
manager shall send a copy of the amended record to previous recipients.
    (2) If OGE or the other agency concerned denies the request in 
whole or in part, the reasons for the denial will be stated in the 
response letter. In addition, the response letter will state:
    (i) The name and address of the official with whom an appeal of the 
denial may be lodged; and
    (ii) A description of any other procedures which may be required of 
the data subject in order to process the appeal.


Sec.  2606.303  Request for review of an initial refusal to amend a 
record.

    (a)(1) A data subject may submit a written appeal of the initial 
decision by OGE or an agency denying a request to amend a record in an 
OGE system of records.
    (i) For records which are filed directly with OGE, the appeal must 
be submitted to the Director, Office of Government Ethics, Suite 500, 
1201 New York Avenue, NW., Washington, DC 20005-3917.
    (ii) For records which are filed directly with an agency (including 
the Federal Election Commission) other than OGE, the appeal must be 
submitted to the Privacy Act amendments appeals official as specified 
in the agency's own Privacy Act regulations, or to the respective head 
of the agency concerned if it does not have Privacy Act regulations.
    (2) The words ``Privacy Act Appeal'' should be included on the 
envelope and at the top of the letter of the appeal.
    (b) The request for review should contain a brief description of 
the record(s) involved or copies of the correspondence from OGE or the 
agency in which the request to amend was denied, and the reasons why 
the data subject believes that the disputed information should be 
amended.


Sec.  2606.304  Response to a request for review of an initial refusal 
to amend; disagreement statements.

    (a) The OGE Director or agency reviewing official should make a 
final determination in writing not later than 30 days from the date the 
appeal was received. The 30-day period may be extended for good cause. 
Notice of the extension and the reasons therefor will be sent to the 
data subject within the 30-day period.
    (b) If the OGE Director or agency reviewing official determines 
that the record(s) should be amended in accordance with the data 
subject's request, the OGE Director or agency reviewing official will 
take the necessary steps to advise the data subject, and to direct the 
appropriate system manager:
    (1) to amend the record(s), and
    (2) to notify previous recipients of the record(s) for which there 
is an accounting of disclosure that the record(s) have been amended.
    (c) If the appeal decision does not grant in full the request for 
amendment, the decision letter will notify the data subject that he 
may:
    (1) Obtain judicial review of the decision in accordance with the 
terms of the Privacy Act at 5 U.S.C. 552a(g); and
    (2) File a statement setting forth his reasons for disagreeing with 
the decision.
    (d)(1) A data subject's disagreement statement must be concise. The 
appropriate system manager has the authority to determine the 
``conciseness'' of the statement, taking into account the scope of the 
disagreement and the complexity of the issues.
    (2) In any disclosure of information about which an individual has 
filed a statement of disagreement, the appropriate system manager will 
clearly note any disputed portion(s) of the record(s) and will provide 
a copy of the statement to persons or other agencies to whom the 
disputed record or records has been disclosed and for whom an 
accounting of disclosure has been maintained. A concise statement of 
the reasons for not making the amendments requested may also be 
provided.

[FR Doc. 03-1100 Filed 1-21-03; 8:45 am]
BILLING CODE 6345-02-P