[Federal Register Volume 71, Number 26 (Wednesday, February 8, 2006)]
[Rules and Regulations]
[Pages 6374-6380]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-1122]


-----------------------------------------------------------------------

NATIONAL FOUNDATION ON THE ARTS AND THE HUMANITIES

45 CFR Part 1182

3137-AA17


Institute of Museum and Library Services; Implementation of the 
Privacy Act of 1974

AGENCY: Institute of Museum and Library Services (IMLS), NFAH.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Institute of Museum and Library Services (Institute) has 
amended its Privacy Act regulations to reflect administrative changes 
at the agency and to conform to the President's Memorandum of June 1, 
1998--Plain Language in Government Writing. These regulations establish 
procedures by which an individual may determine whether a system of 
records maintained by the Institute contains a record pertaining to him 
or her; gain access to such records; and request correction or 
amendment of such records. These regulations also establish exemptions 
from certain Privacy Act requirements for all or part of certain 
systems of records maintained by the Institute.

EFFECTIVE DATE: February 2, 2006.

FOR FURTHER INFORMATION CONTACT: Nancy E. Weiss, General Counsel, 
Institute of Museum and Library Services, 1800 M Street, NW., Ninth 
Floor, Washington, DC 20036. E-mail: [email protected]. Telephone: (202) 
653-4787. Facsimile: (202) 653-4625.

SUPPLEMENTARY INFORMATION: The Institute operates as part of the 
National Foundation on the Arts and the Humanities under the National 
Foundation on the Arts and the Humanities Act of 1965, as amended (20 
U.S.C. 951 et seq.) The corresponding regulations published at 45 CFR 
Chapter XI, Subchapter A apply to the entire Foundation, while the 
regulations published at 45 CFR Chapter XI, Subchapter E apply only to 
the Institute. The proposed rule was published by the Institute in the 
Federal Register on November 23, 2005. The Institute received no 
comments suggesting changes to the text of the rule.
    This final rule adds Privacy Act regulations to Subchapter E (45 
CFR part 1182), replacing the existing regulations in Subchapter A (45 
CFR part 1115) with regard to the Institute. The new regulations 
provide additional detail concerning several provisions of the Privacy 
Act, and are intended to increase understanding of the Institute's 
Privacy Act policies. The Institute is authorized to propose the new 
regulations under 5 U.S.C. 552a(f) of the Privacy Act.

I. Matters of Regulatory Procedure

Regulatory Planning and Review (E.O. 12866)

    Under Executive Order 12866, the Institute must determine whether 
the regulatory action is ``significant'' and therefore subject to OMB 
review and the requirements of the Executive order. The Order defines a 
``significant regulatory action'' as one that is likely to result in a 
rule that may: (1) Have an annual effect on the economy of $100 million 
or more or adversely affect in a

[[Page 6375]]

material way the economy, a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or State, 
local, or tribal governments or communities; (2) create a serious 
inconsistency or otherwise interfere with an action taken or planned by 
another agency; (3) materially alter the budgetary impact of 
entitlements, grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; (4) raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive Order.
    The rules add Privacy Act regulations to Subchapter E (45 CFR part 
1182), replacing the existing regulations in Subchapter A (45 CFR part 
1115) with regard to the Institute. The new regulations provide 
additional detail concerning several provisions of the Privacy Act, and 
are intended to increase understanding of the Institute's Privacy Act 
policies. As such, it does not impose a compliance burden on the 
economy generally or on any person or entity. Accordingly, this rule is 
not a ``significant regulatory action'' from an economic standpoint, 
and it does not otherwise create any inconsistencies or budgetary 
impacts to any other agency or Federal Program.

Regulatory Flexibility Act

    Because this rule adds Privacy Act regulations to Subchapter E (45 
CFR part 1182), replacing the existing regulations in Subchapter A (45 
CFR part 1115) with regard to the Institute, the Institute has 
determined in Regulatory Flexibility Act (5 U.S.C. 601 et seq.) review 
that this rule will not have a significant economic impact on a 
substantital number of small entities.

Paperwork Reduction Act

    This rule is exempt from the requirements of the Paperwork 
Reduction Act, since it adds Privacy Act regulations to Subchapter E 
(45 CFR part 1182), replacing the existing regulations in Subchapter A 
(45 CFR part 1115) with regard to the Institute. An OMB form 83-1 is 
not required.

Unfunded Mandates Reform Act

    For purposes of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 
chapter 25, subchapter II), this rule will not significantly or 
uniquely affect small governments and will not result in increased 
expenditures by State, local, and tribal governments, or by the private 
sector, of $100 million or more as adjusted for inflation) in any one 
year.

Small Business Regulatory Enforcement Fairness Act (SBREFA)

    This rule is not a major rule under 5 U.S.C. 804(2), the Small 
Business Regulatory Enforcement Fairness Act. This rule:
    a. Does not have an annual effect on the economy of $100 million or 
more.
    b. Will not cause a major increase in costs or prices for 
consumers, individuals industries, Federal, State, or local government 
agencies, or geographic regions.
    c. Does not have significant adverse effects on competition, 
employment, investment, productivity, innovation, or the ability of 
U.S.-based enterprises to compete with foreign-based enterprises.

Takings (E.O. 12630)

    In accordance with Executive Order 12630, the rule does not have 
significant takings implications. No rights, property or compensation 
has been, or will be taken. A takings implication assessment is not 
required.

Federalism (E.O. 13132)

    In accordance with Executive Order 13132, this rule does not have 
federalism implications that warrant the preparation of a federalism 
assessment.

Civil Justice Reform (E.O. 12988)

    In accordance with Executive Order 12988, the Institute has 
determined that this rule does not unduly burden the judicial system 
and meets the requirements of sections 3(a) and 3(b)(2) of the Order.

Consultation With Indian tribes (E.O. 13175)

    In accordance with Executive Order 13175, the Institute has 
evaluated this rule and determined that it has no potential negative 
effects on federally recognized Indian tribes.

National Environmental Policy Act

    This final rule does not constitute a major Federal action 
significantly affecting the quality of the human environment.

List of Subjects in 45 CFR Part 1182

    Privacy.

    Dated: February 2, 2006.
Nancy E. Weiss,
General Counsel, Institute of Museum and Library Services.

0
For the reasons stated in the preamble, the Institute amends Title 45, 
Code of Federal Regulations, Subchapter E, by adding Part 1182 to read 
as follows:

PART 1182--IMPLEMENTATION OF THE PRIVACY ACT OF 1974

Sec.
1182.1 Purpose and scope of these regulations.
1182.2 Definitions.
1182.3 Inquiries about the Institute's systems of records or 
implementation of the Privacy Act.
1182.4 Procedures for notifying the public of the Institute's 
systems of records.
1182.5 Procedures for notifying government entities of the 
Institute's proposed changes to its systems of records.
1182.6 Limits that exist as to the contents of the Institute's 
systems of records.
1182.7 Institute procedures for collecting information from 
individuals for its records.
1182.8 Procedures for acquiring access to Institute records 
pertaining to an individual.
1182.9 Identification required when requesting access to Institute 
records pertaining to an individual.
1182.10 Procedures for amending or correcting an individual's 
Institute record.
1182.11 Procedures for appealing a refusal to amend or correct an 
Institute record.
1182.12 Fees charged to locate, review, or copy records.
1182.13 Policies and procedures for Institute disclosure of its 
records.
1182.14 Procedures for maintaining accounts of disclosures made by 
the Institute from its systems of records.
1182.15 Institute responsibility for maintaining adequate technical, 
physical, and security safeguards to prevent unauthorized disclosure 
or destruction of manual and automatic record systems.
1182.16 Procedures to ensure that Institute employees involved with 
its systems of records are familiar with the requirements and of the 
Privacy Act.
1182.17 Institute systems of records that are covered by exemptions 
in the Privacy Act.
1182.18 Penalties for obtaining an Institute record under false 
pretenses.
1182.19 Restrictions that exist regarding the release of mailing 
lists.

    Authority: 5 U.S.C. 552a(f).


Sec.  1182.1  Purpose and scope of these regulations.

    The regulations in this part set forth the Institute's procedures 
under the Privacy Act, as required by 5 U.S.C. 552a(f), with respect to 
systems of records maintained by the Institute. These regulations 
establish procedures by which an individual may exercise the rights 
granted by the Privacy Act to determine whether an Institute system 
contains a record pertaining to him or her; to gain access to such 
records; and to request correction or amendment of such records. These 
regulations also set identification requirements, prescribe fees to be 
charged for copying records,

[[Page 6376]]

and establish exemptions from certain requirements of the Act for 
certain Institute systems or components thereof:


Sec.  1182.2  Definitions.

    The definitions of the Privacy Act apply to this part. In addition, 
as used in this part:
    (a) Agency means any executive department, military department, 
government corporation, or other establishment in the executive branch 
of the Federal government, including the Executive Office of the 
President or any independent regulatory agency.
    (b) Business day means a calendar day, excluding Saturdays, 
Sundays, and legal public holidays.
    (c) Director means the Director of the Institute, or his or her 
designee;
    (d) General Counsel means the General Counsel of the Institute, or 
his or her designee.
    (e) Individual means any citizen of the United States or an alien 
lawfully admitted for permanent residence;
    (f) Institute means the Institute of Museum and Library Services;
    (g) Institute system means a system of records maintained by the 
Institute;
    (h) Maintain means to collect, use, store, or disseminate records, 
as well as any combination of these recordkeeping functions. The term 
also includes exercise of control over and, therefore, responsibility 
and accountability for, systems of records;
    (i) Privacy Act or Act means the Privacy Act of 1974, as amended (5 
U.S.C. 552a);
    (j) Record means any item, collection, or grouping of information 
about an individual that is maintained by an agency and contains the 
individual's name or another identifying particular, such as a number 
or symbol assigned to the individual, or his or her fingerprint, voice 
print, or photograph. The term includes, but is not limited to, 
information regarding an individual's education, financial 
transactions, medical history, and criminal or employment history;
    (k) Routine use means, with respect to the disclosure of a record, 
the use of a record for a purpose that is compatible with the purpose 
for which it was collected;
    (l) Subject individual means the individual to whom a record 
pertains. Uses of the terms ``I'', ``you'', ``me'', and other 
references to the reader of the regulations in this part are meant to 
apply to subject individuals as defined in this paragraph (l); and
    (m) System of records means a group of records under the control of 
any agency from which information is retrieved by use of the name of 
the individual or by some number, symbol, or other identifying 
particular assigned to the individual.


Sec.  1182.3  Inquiries about the Institute's systems of records or 
implementation of the Privacy Act.

    Inquiries about the Institute's systems of records or 
implementation of the Privacy Act should be sent to the following 
address: Institute of Museum and Library Services; Office of the 
General Counsel; 1800 M Street, NW., 9th Floor, Washington, DC 20036.


Sec.  1182.4  Procedures for notifying the public of the Institute's 
systems of records.

    (a) From time to time, the Institute shall review its systems of 
records in the Federal Register, and publish, if necessary, any 
amendments to those systems of records. Such publication shall not be 
made for those systems of records maintained by other agencies while in 
the temporary custody of the Institute.
    (b) At least 30 days prior to publication of information under 
paragraph (a) of this section, the Institute shall publish in the 
Federal Register a notice of its intention to establish any new routine 
uses of any of its systems of records, thereby providing the public an 
opportunity to comment on such uses. This notice published by the 
Institute shall contain the following:
    (1) The name of the system of records for which the routine use is 
to be established;
    (2) The authority for the system;
    (3) The purpose for which the record is to be maintained;
    (4) The proposed routine use(s);
    (5) The purpose of the routine use(s); and
    (6) The categories of recipients of such use.
    (c) Any request for additions to the routine uses of Institute 
systems should be sent to the Office of the General Counsel (see Sec.  
1182.3).
    (d) Any individual who wishes to know whether an Institute system 
contains a record pertaining to him or her should write to the Office 
of the General Counsel (see Sec.  1182.3). Such individuals may also 
call the Office of the General Counsel at (202) 653-4787 on business 
days, between the hours of 9 a.m. and 5 p.m., to schedule an 
appointment to make an inquiry in person. Inquiries should be presented 
in writing and should specifically identify the Institute systems 
involved. The Institute will attempt to respond to an inquiry regarding 
whether a record exists within 10 business days of receiving the 
inquiry.


Sec.  1182.5  Procedures for notifying government entities of the 
Institute's proposed changes to its systems of records.

    When the Institute proposes to establish or significantly change 
any of its systems of records, it shall provide adequate advance notice 
of such proposal to the Committee on Government Reform of the House of 
Representatives, the Committee on Governmental Affairs of the Senate, 
and the Office of Management and Budget (OMB), in order to permit an 
evaluation of the probable or potential effect of such proposal on the 
privacy or other rights of individuals. This report will be submitted 
in accordance with guidelines provided by the OMB.


Sec.  1182.6  Limits that exist as to the contents of the Institute's 
systems of records.

    (a) The Institute shall maintain only such information about an 
individual as is relevant and necessary to accomplish a purpose of the 
agency required by statute or by executive order of the President. In 
addition, the Institute shall maintain all records that are used in 
making determinations about any individual with such accuracy, 
relevance, timeliness, and completeness as is reasonably necessary to 
ensure fairness to that individual in the making of any determination 
about him or her. However, the Institute shall not be required to 
update retired records.
    (b) The Institute shall not maintain any record about any 
individual with respect to or describing how such individual exercises 
rights guaranteed by the First Amendment of the Constitution of the 
United States, unless expressly authorized by statute or by the subject 
individual, or unless pertinent to and within the scope of an 
authorized law enforcement activity.


Sec.  1182.7  Institute procedures for collecting information from 
individuals for its records.

    The Institute shall collect information, to the greatest extent 
practicable, directly from you when the information may result in 
adverse determinations about your rights, benefits, or privileges under 
Federal programs. In addition, the Institute shall inform you of the 
following, either on the form it uses to collect the information or on 
a separate form that you can retain, when it asks you to supply 
information:
    (a) The statutory or executive order authority that authorizes the 
solicitation of the information;
    (b) Whether disclosure of such information is mandatory or 
voluntary;
    (c) The principal purpose(s) for which the information is intended 
to be used;

[[Page 6377]]

    (d) The routine uses that may be made of the information, as 
published pursuant to Sec.  1182.4; and
    (e) Any effects on you of not providing all or any part of the 
required or requested information.


Sec.  1182.8  Procedures for acquiring access to Institute records 
pertaining to an individual.

    The following procedures apply to records that are contained in an 
Institute system:
    (a) You may request review of records pertaining to you by writing 
to the Office of the General Counsel (see Sec.  1182.3). You also may 
call the Office of the General Counsel at (202) 653-4787 on business 
days, between the hours of 9 a.m. and 5 p.m., to schedule an 
appointment to make such a request in person. A request for records 
should be presented in writing and should identify specifically the 
Institute systems involved.
    (b) Access to the record, or to any other information pertaining to 
you that is contained in the system shall be provided if the 
identification requirements of Sec.  1182.9 are satisfied and the 
record is determined otherwise to be releasable under the Privacy Act 
and these regulations. The Institute shall provide you an opportunity 
to have a copy made of any such record about you. Only one copy of each 
requested record will be supplied, based on the fee schedule in Sec.  
1182.12.
    (c) The Institute will comply promptly with requests made in person 
at scheduled appointments, if the requirements of this section are met 
and the records sought are immediately available. The institute will 
acknowledge, within 10 business days, mailed requests or personal 
requests for documents that are not immediately available, and the 
information requested will be provided promptly thereafter.
    (d) If you make your request in person at a scheduled appointment, 
you may, upon your request, be accompanied by a person of your choice 
to review your record. The Institute may require that you furnish a 
written statement authorizing discussion of your record in the 
accompanying person's presence. A record may be disclosed to a 
representative chosen by you upon your proper written consent.
    (e) Medical or psychological records pertaining to you shall be 
disclosed to you unless, in the judgment of the Institute, access to 
such records might have an adverse effect upon you. When such a 
determination has been made, the Institute may refuse to disclose such 
information directly to you. The Institute will, however, disclose this 
information to a licensed physician designated by you in writing.


Sec.  1182.9  Identification required when requesting access to 
Institute records pertaining to an individual.

    The Institute shall require reasonable identification of all 
individuals who request access to records in an Institute system to 
ensure that they are disclosed to the proper person.
    (a) The amount of personal identification required will of 
necessity vary with the sensitivity of the record involved. In general, 
if you request disclosure in person, you shall be required to show an 
identification card, such as a driver's license, containing your 
photograph and sample signature. However, with regard to records in 
Institute systems that contain particularly sensitive and/or detailed 
personal information, the Institute reserves the right to require 
additional means of identification as are appropriate under the 
circumstances. These means include, but are not limited to, requiring 
you to sign a statement under oath as to your identity, acknowledging 
that you are aware of the penalties for improper disclosure under the 
provisions of the Privacy Act.
    (b) If you request disclosure by mail, the Institute will request 
such information as may be necessary to ensure that you are properly 
identified. Authorized means to achieve this goal include, but are not 
limited to, requiring that a mail request include certification that a 
duly commissioned notary public of any State or territory (or a similar 
official, if the request is made outside of the United States) received 
an acknowledgment of identity from you.
    (c) If you are unable to provide suitable documentation or 
identification, the Institute may require a signed, notarized statement 
asserting your identity and stipulating that you understand that 
knowingly or willfully seeking or obtaining access to records about 
another person under false pretenses is punishable by a fine of up to 
$5,000.


Sec.  1182.10  Procedures for amending or correcting an individual's 
Institute record.

    (a) You are entitled to request amendments to or corrections of 
records pertaining to you pursuant to the provisions of the Privacy 
Act, including 5 U.S.C. 552a(d)(2). Such a request should be made in 
writing and addressed to the Office of the General Counsel (see Sec.  
1182.3).
    (b) Your request for amendments or corrections should specify the 
following:
    (1) The particular record that you are seeking to amend or correct;
    (2) The Institute system from which the record was retrieved;
    (3) The precise correction or amendment you desire, preferably in 
the form of an edited copy of the record reflecting the desired 
modification; and
    (4) Your reasons for requesting amendment or correction of the 
record.
    (c) The Institute will acknowledge a request for amendment or 
correction of a record within 10 business days of its receipt, unless 
the request can be processed and the individual informed of the General 
Counsel's decision on the request within that 10-day period.
    (d) If after receiving and investigating your request, the General 
Counsel agrees that the record is not accurate, timely, or complete, 
based on a preponderance of the evidence, then the record will be 
corrected or amended promptly. The record will be deleted without 
regard to its accuracy, if the record is not relevant or necessary to 
accomplish the Institute function for which the record was provided or 
is maintained. In either case, you will be informed in writing of the 
amendment, correction, or deletion. In addition, if accounting was made 
of prior disclosures of the record, all previous recipients of the 
record will be informed of the corrective action taken.
    (e) If after receiving and investigating your request, the General 
Counsel does not agree that the record should be amended or corrected, 
you will be informed promptly in writing of the refusal to amend or 
correct the record and the reason for this decision. You also will be 
informed that you may appeal this refusal in accordance with Sec.  
1182.11.
    (f) Requests to amend or correct a record governed by the 
regulations of another agency will be forwarded to such agency for 
processing, and you will be informed in writing of this referral.


Sec.  1182.11  Procedures for appealing a refusal to amend or correct 
an Institute record.

    (a) You may appeal a refusal to amend or correct a record to the 
Director. Such appeal must be made in writing within 10 business days 
of your receipt of the initial refusal to amend or correct your record. 
Your appeal should be sent to the Office of the General Counsel (see 
Sec.  1182.3), should indicate that it is an appeal, and should include 
the basis for the appeal.
    (b) The Director will review your request to amend or correct the 
record, the General Counsel's refusal, and any other pertinent material 
relating to the appeal. No hearing will be held.
    (c) The Director shall render his or her decision on your appeal 
within 30

[[Page 6378]]

business days of its receipt by the Institute, unless the Director, for 
good cause shown, extends the 30-day period. Should the Director extend 
the appeal period, you will be informed in writing of the extension and 
the circumstances of the delay.
    (d) If the Director determines that the record that is the subject 
of the appeal should be amended or corrected, the record will be so 
modified, and you will be informed in writing of the amendment or 
correction. Where an accounting was made of prior disclosures of the 
record, all previous recipients of the record will be informed of the 
corrective action taken.
    (e) If your appeal is denied, you will be informed in writing of 
the following:
    (1) The denial and the reasons for the denial;
    (2) That you may submit to the Institute a concise statement 
setting forth the reasons for your disagreement as to the disputed 
record. Under the procedures set forth in paragraph (f) of this 
section, your statement will be disclosed whenever the disputed record 
is disclosed; and
    (3) That you may seek judicial review of the Director's 
determination under 5 U.S.C. 552a(g)(1)(a).
    (f) Whenever you submit a statement of disagreement to the 
Institute in accordance with paragraph (e)(2) of this section, the 
record will be annotated to indicate that it is disputed. In any 
subsequent disclosure, a copy of your statement of disagreement will be 
disclosed with the record. If the Institute deems it appropriate, a 
concise statement of the Director's reasons for denying our appeal also 
may be disclosed with the record. While you will have access to this 
statement of the Director's reasons for denying your appeal, such 
statement will not be subject to correction or amendment. Where an 
accounting was made of prior disclosures of the record, all previous 
recipients of the record will be provided a copy of your statement of 
disagreement, as well as any statement of the Director's reasons for 
denying your appeal.


Sec.  1182.12  Fees charged to locate, review, or copy records.

    (a) The Institute shall charge no fees for search time or for any 
other time expended by the Institute to review a record. However, the 
Institute may charge fees where you request that a copy be made of a 
record to which you have been granted access. Where a copy of the 
record must be made in order to provide access to the record (e.g., 
computer printout where no screen reading is available), the copy will 
be made available to you without cost.
    (b) Copies of records made by photocopy or similar process will be 
charged to you at the rate of $0.10 per page. Where records are not 
susceptible to photocopying (e.g., punch cards, magnetic tapes, or 
oversize materials), you will be charged actual cost as determined on a 
case-by-case basis. A copying fee totaling $3.00 or less shall be 
waived, but the copying fees for contemporaneous requests by the same 
individual shall be aggregated to determine the total fee.
    (c) Special and additional services provided at your request, such 
as certification or authentication, postal insurance, and special 
mailing arrangement costs, will be charged to you.
    (d) A copying fee shall not be charged or, alternatively, it may be 
reduced, when the General Counsel determines, based on a petition, that 
the petitioning individual is indigent and that the Institute's 
resources permit a waiver of all or part of the fee.
    (e) All fees shall be paid before any copying request is 
undertaken. Payments shall be made by check or money order payable to 
the ``Institute of Museum and Library Services.''


Sec.  1182.13  Policies and procedures for Institute disclosure of its 
records.

    (a) The Institute not disclose any record that is contained in a 
system of records to any person or to another agency, except pursuant 
to a written request by or with the prior written consent of the 
subject individual, unless disclosure of the record is:
    (1) To those officers or employees of the Institute who maintain 
the record and who have a need for the record in the performance of 
their official duties;
    (2) Required under the provisions of the Freedom of Information Act 
(5 U.S.C. 552). Records required to be made available by the Freedom of 
Information Act will be released in response to a request to the 
Institute formulated in accordance with the National Foundation on the 
Arts and the Humanities regulations published at 45 CFR part 1100;
    (3) For a routine use as published in the annual notice in the 
Federal Register;
    (4) To the Census Bureau for purpose of planning or carrying out a 
census; survey, or related activity pursuant to the provisions of Title 
13 of the United States Code;
    (5) To a recipient who has provided the Institute with adequate 
advance written assurance that the record will be used solely as a 
statistical research or reporting record, and the record is to be 
transferred in a form that is not individually identifiable;
    (6) To the National Archives and Records Administration as a record 
that has sufficient historical or other value to warrant its continued 
preservation by the United States government, or for evaluation by the 
Archivist of the United States, or his or her designee, to determine 
whether the record has such value;
    (7) To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity, if the activity is 
authorized by law, and if the head of the agency or instrumentality has 
made a written request to the Institute for such records specifying the 
particular portion desired and the law enforcement activity for which 
the record is sought. The Institute also may disclose such a record to 
a law enforcement agency on its own initiative in situations in which 
criminal conduct is suspected, provided that such disclosure has been 
established as a routine use, or in situations in which the misconduct 
is directly related to the purpose for which the record is maintained;
    (8) To a person pursuant to a showing of compelling circumstances 
affecting the health or safety of an individual if, upon such 
disclosure, notification is transmitted to the last known address of 
such individual;
    (9) To either House of Congress, or, to the extent of matter within 
its jurisdictions, any committee or subcommittee thereof, any joint 
committee of Congress, or subcommittee of any such joint committee;
    (10) To the Comptroller General, or any of his or her authorized 
representatives, in the course of the performance of official duties of 
the General Accounting Office;
    (11) To a consumer reporting agency in accordance with 31 U.S.C. 
3711(e); or
    (12) Pursuant to an order of a court of competent jurisdiction. In 
the event that any record is disclosed under such compulsory legal 
process, the Institute shall make reasonable efforts to notify the 
subject individual after the process becomes a matter of public record.
    (b) Before disseminating any record about any individual to any 
person other than an Institute employee, the Institute shall make 
reasonable efforts to ensure that such records are, or at the time they 
were collected were, accurate, complete, timely, and relevant for 
Institute purposes. This paragraph (b) does not apply to dissemination 
made pursuant to the provisions of the

[[Page 6379]]

Freedom of Information Act (5 U.S.C. 552) and paragraph (a)(2) of this 
section.


Sec.  1182.14  Procedures for maintaining accounts of disclosures made 
by the Institute from its systems of records.

    (a) The Office of the General Counsel shall maintain a log 
containing the date, nature, and purpose of each disclosure of a record 
to any person or to another agency. Such accounting also shall contain 
the name and address of the person or agency to whom each disclosure 
was made. This log need not include disclosures made to Institute 
employees in the course of their official duties, or pursuant to the 
provisions of the Freedom of Information Act (5 U.S.C. 552).
    (b) The Institute shall retain the accounting of each disclosure 
for at least five years after the accounting is made or for the life of 
the record that was disclosed, whichever is longer.
    (c) The Institute shall make the accounting of disclosures of a 
record pertaining to you available to you at your request. Such a 
request should be made in accordance with the procedures set forth in 
Sec.  1182.8. This paragraph (c) does not apply to disclosures made for 
law enforcement purposes under 5 U.S.C. 552a(b)(7) and Sec.  
1182.13(a)(7).


Sec.  1182.15  Institute responsibility for maintaining adequate 
technical, physical, and security safeguards to prevent unauthorized 
disclosure or destruction of manual and automatic record systems.

    The Chief Information Officer has the responsibility of maintaining 
adequate technical, physical, and security safeguards to prevent 
unauthorized disclosure or destruction of manual and automatic record 
systems. These security safeguards shall apply to all systems in which 
identifiable personal data are processed or maintained, including all 
reports and outputs from such systems that contain identifiable 
personal information. Such safeguards must be sufficient to prevent 
negligent, accidental, or unintentional disclosure, modification or 
destruction of any personal records or data, and must furthermore 
minimize, to the extent practicable, the risk that skilled technicians 
or knowledgeable persons could improperly obtain access to modify or 
destroy such records or data and shall further insure against such 
casual entry by unskilled persons without official reasons for access 
to such records or data.
    (a) Manual systems. (1) Records contained in a system of records as 
defined in this part may be used, held, or stored only where facilities 
are adequate to prevent unauthorized access by persons within or 
outside the Institute.
    (2) All records, when not under the personal control of the 
employees authorized to use the records, must be stored in a locked 
filing cabinet. Some systems of records are not of such confidential 
nature that their disclosure would constitute a harm to an individual 
who is the subject of such record. However, records in this category 
also shall be maintained in locked filing cabinets or maintained in a 
secured room with a locking door.
    (3) Access to and use of a system of records shall be permitted 
only to persons whose duties require such access within the Institute, 
for routine uses as defined in Sec.  1182.1 as to any given system, or 
for such other uses as may be provided in this part.
    (4) Other than for access within the Institute to persons needing 
such records in the performance of their official duties or routine 
uses as defined in Sec.  1182.1, or such other uses as provided in this 
part, access to records within a system of records shall be permitted 
only to the individual to whom the record pertains or upon his or her 
written request to the General Counsel.
    (5) Access to areas where a system of records is stored will be 
limited to those persons whose duties require work in such areas. There 
shall be an accounting of the removal of any records from such storage 
areas utilizing a log, as directed by the Chief Information Officer. 
The log shall be maintained at all times.
    (6) The Institute shall ensure that all persons whose duties 
require access to and use of records contained in a system of records 
are adequately trained to protect the security and privacy of such 
records.
    (7) The disposal and destruction of records within a system of 
records shall be in accordance with rules promulgated by the General 
Services Administration.
    (b) Automated systems. (1) Identifiable personal information may be 
processed, stored, or maintained by automated data systems only where 
facilities or conditions are adequate to prevent unauthorized access to 
such systems in any form. Whenever such data, whether contained in 
punch cards, magnetic tapes, or discs, are not under the personal 
control of an authorized person, such information must be stored in a 
locked or secured room, or in such other facility having greater 
safeguards than those provided for in this part.
    (2) Access to and use of identifiable personal data associated with 
automated data systems shall be limited to those persons whose duties 
require such access. Proper control of personal data in any form 
associated with automated data systems shall be maintained at all 
times, including maintenance of accountability records showing 
disposition of input and output documents.
    (3) All persons whose duties require access to processing and 
maintenance of identifiable personal data and automated systems shall 
be adequately trained in the security and privacy of personal data.
    (4) The disposal and disposition of identifiable personal data and 
automated systems shall be done by shredding, burning, or, in the case 
of tapes or discs, degaussing, in accordance with regulations of the 
General Services Administration or other appropriate authority.


Sec.  1182.16  Procedures to ensure that Institute employees involved 
with its systems of records are familiar with the requirements and of 
the Privacy Act.

    (a) The Director shall ensure that all persons involved in the 
design, development, operation, or maintenance of any Institute system 
are informed of all requirements necessary to protect the privacy of 
subject individuals. The Director also shall ensure that all Institute 
employees having access to records receive adequate training in their 
protection, and that records have adequate and proper storage with 
sufficient security to assure the privacy of such records.
    (b) All employees shall be informed of the civil remedies provided 
under 5 U.S.C. 552a(g)(1) and other implications of the Privacy Act, 
and the fact that the Institute may be subject to civil remedies for 
failure to comply with the provisions of the Privacy Act and the 
regulations in this part.


Sec.  1182.17  Institute systems of records that are covered by 
exemptions in the Privacy Act.

    (a) Pursuant to and limited by 5 U.S.C. 552a(j)(2), the Institute 
system entitled ``Office of the Inspector General Investigative Files'' 
shall be exempted from the provisions of 5 U.S.C. 552a, except for 
subsections (b); (c)(1) and (2); (e)(4)(A) through (F); (e)(6), (7), 
(9), (10), and (11); and (i), insofar as that Institute system contains 
information pertaining to criminal law enforcement investigations.
    (b) Pursuant to and limited by 5 U.S.C. 552a(k)(2), the Institute 
system entitled ``Office of the Inspector General Investigative Files'' 
shall be exempted from 5 U.S.C. 552a(c)(3); (d); (e)(1); (e)(4)(G), 
(H), and (I); and (f), insofar as that Institute system consists of 
investigatory material compiled for law

[[Page 6380]]

enforcement purposes, other than material within the scope of the 
exemption at 5 U.S.C. 552a(j)(2).
    (c) The Institute system entitled ``Office of the Inspector General 
Investigative Files'' is exempt from the provisions of the Privacy Act 
noted in this section because their application might alert 
investigation subjects to the existence or scope of investigations; 
lead to suppression, alteration, fabrication, or destruction of 
evidence; disclose investigative techniques or procedures; reduce the 
cooperativeness or safety of witnesses; or otherwise impair 
investigations.


Sec.  1182.18  Penalties for obtaining an Institute record under false 
pretenses.

    (a) Under 5 U.S.C. 552a(i)(3), any person who knowingly and 
willfully requests or obtains any record from the Institute concerning 
an individual under false pretenses shall be guilty of a misdemeanor 
and fined not more than $5,000.
    (b) A person who falsely or fraudulently attempts to obtain records 
under the Privacy Act also may be subject to prosecution under other 
statutes, including 18 U.S.C. 494, 495, and 1001.


Sec.  1182.19  Restrictions that exist regarding the release of mailing 
lists.

    The Institute may not sell or rent an individual's name and address 
unless such action specifically is authorized by law. This section 
shall not be construed to require the withholding of names and 
addresses otherwise permitted to be made public.

[FR Doc. 06-1122 Filed 2-7-06; 8:45am]
BILLING CODE 7036-01-M