[Federal Register Volume 72, Number 67 (Monday, April 9, 2007)]
[Rules and Regulations]
[Pages 17367-17376]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-1651]


=======================================================================
-----------------------------------------------------------------------

SMALL BUSINESS ADMINISTRATION

13 CFR Part 102

RIN 3245-AF20


Record Disclosure and Privacy

AGENCY: U.S. Small Business Administration (SBA).

ACTION: Direct Final Rule.

-----------------------------------------------------------------------

SUMMARY: This rule updates the U.S. Small Business Administration's 
(SBA) regulations implementing the Privacy Act of 1974. This rule 
ensures the security and confidentiality of personally identifiable 
records and protects against hazards to their integrity. Specifically, 
Subpart B of the Privacy Act regulations is revised to include SBA's 
procedures for maintaining appropriate administrative, technical and 
physical safeguards to ensure the security of the records. Also 
included are Privacy Act standards of conduct for Agency employees; 
training and reporting requirements pursuant to Privacy Act guidelines 
and the Office of Management and Budget (OMB) guidance; and the Privacy 
Act responsibilities of the Chief, Freedom of Information/Privacy Acts 
(FOI/PA) Office.

DATES: This rule is effective June 8, 2007 without further action, 
unless significant adverse comment is received by May 9, 2007. If 
significant adverse comment is received, the SBA will publish a timely 
withdrawal of the rule in the Federal Register.

ADDRESSES: You may submit comments, identified by RIN 3245-AF20, by any 
of the following methods: (1) Federal rulemaking portal at http://www.regulations.gov; (2) e-mail: [email protected], include RIN 
number 3245-AF20 in the subject line of the message; (3) mail to: 
Delorice P. Ford, Agency Chief FOIA Officer, 409 3rd Street, SW., Mail 
Code: 2441, Washington, DC 20416; and (4) Hand Delivery/Courier: 409 
3rd Street, SW., Washington, DC 20416.

FOR FURTHER INFORMATION CONTACT: Delorice P. Ford, Agency Chief FOIA 
Officer, (202) 401-8203.

SUPPLEMENTARY INFORMATION: SBA is revising Subpart B of Part 102 to 
include more in-depth information about Privacy Act (PA) 
responsibilities, and to further ensure the security and 
confidentiality of the Agency's personally identifiable records, 
including the standards for disclosure of information under computer 
matching programs. This rule will further assist the SBA in focusing on 
the four basic policy objectives of the Privacy Act. Those objectives 
are: the restriction of disclosure of personally identifiable 
information; individuals' increased right of access to records 
maintained on them; individuals' right to seek amendment of records 
maintained on them; and the establishment of fair information 
practices. SBA is substantially revising this rule to present it in a 
statement and narrative format rather than question and answer, which 
conforms to the current writing style of Subpart A. As a result, the 
headings and section numbers are different than current SBA rule 13 CFR 
part 102, Subpart B.
    SBA is publishing this rule as a direct final rule because it 
believes the rule is non-controversial since it merely enforces the 
basic policy objectives of the Privacy Act and does not present novel 
or unusual policies or practices. Because the rule follows routine, 
standard government-wide Privacy Act practices, SBA believes that this 
direct final rule will not elicit any significant adverse comments. 
However, if such comments are received, SBA will publish a timely 
notice of withdrawal in the Federal Register.

Section-by Section Analysis

    General provisions, Sec.  102.20, provides an overview of the scope 
of regulations contained in Subpart B as well as definitions for terms 
that are not previously defined in Part 102.
    New Sec.  102.21 Agency officials responsible for the Privacy Act, 
describes the various Agency personnel responsible for the PA and a 
listing of their duties. Some of this information is currently included 
in SBA PA rules at 13 CFR 102.29 and 102.32.
    Section 102.22 Requirements relating to systems of records, this 
section expands current SBA PA rules at Sec. Sec.  102.24 and 102.25 
and establishes parameters for the type of information that SBA may 
collect from an individual, including the prohibition on maintaining 
records concerning First Amendment rights in certain circumstances. 
Section 102.22 also addresses how to ensure the accurate and secure 
maintenance of records on individuals, and how to report new systems of 
records.
    Section 102.23--Publication in the Federal Register Notices of 
systems of records explains that SBA will publish notice of new or 
modified systems of records and routine uses in the Federal Register. 
This section is not currently included in SBA rules.
    Section 102.24--Requests for access to records describes procedures 
for individuals on how and where to make requests for access to records 
under the PA. This section is similar to current SBA rule at 13 CFR 
102.34.
    Section 102.25--Responsibility for responding to requests for 
access to records provides a description of responsibilities for Agency 
respondents to requests for access to records, while Sec.  102.26--
Responses to requests for access to record describes what to include in 
those responses. Current SBA rule at 13 CFR 102.36 provides similar 
information.
    New Sec.  102.27--Appeals from denials of requests for access to 
records provides procedures for individuals on how and where to make 
appeals from denials of requests for access to records.
    Section 102.28--Requests for amendment or correction of records, 
provides a description of how and where to make requests and appeals 
for amendment or correction of records, including how to file 
Statements of Disagreement if appeals under this section are denied in 
whole or part.
    Section 102.29--Requests for an accounting of record disclosures 
describes procedures for individuals to make requests and appeals for 
an accounting of records disclosures.
    Section 102.30--Preservation of records this section describes how 
SBA will implement the record retention requirements of Title 44 of the 
United States Code or the National Archives and Records 
Administration's General Records Schedule 14.
    Section 102.31--Fees this section states that for PA matters, SBA 
charges only for duplication of records and all fees under $25 are 
waived.
    Section 102.32--Notice of court-ordered and emergency disclosures 
this section explains SBA's compliance with court-ordered and emergency 
disclosures. SBA will notify individuals by mailing a notice to their 
last known address.
    Section 102.33--Security of systems of records this section 
requires SBA offices that maintain PA records to establish controls to 
protect records on individuals and ensure that record access is limited 
to only those

[[Page 17368]]

individuals who must have access to the records to perform their 
duties.
    Section 102.34--Contracts for the operation of record systems this 
section establishes that SBA contractors are subject to the PA and this 
rule. The contractor and its employees are considered SBA employees 
during the contract and can be subject to the sanctions of the PA.
    Section 102.35--Use and collection of Social Security Numbers under 
this section, individuals may not be negatively affected if they refuse 
to provide their social security numbers, unless such numbers are 
required under a statute or regulation adopted prior to 1975, or the 
collection in general is authorized by statute. Individuals must be 
informed whether submitting the social security number is mandatory or 
voluntary; the authority for collecting it; and the purpose for which 
it will be used.
    Section 102.36--Privacy Act standards of conduct this section 
requires SBA to inform its employees how the Agency enforces PA 
provisions, including civil liability and criminal penalty provisions. 
The section sets forth standards for collecting, maintaining, 
accessing, or disclosing information in a system of records, in order 
to comply with those standards.
    Section 102.37--Training requirements according to this section all 
SBA employees with PA duties must periodically attend Agency PA 
training.
    Section 102. 38--Other rights and services this section limits the 
rights of persons to access any record they are not entitled to under 
the PA.
    Section 102.39--SBA's Exempt Privacy Act Systems of Records this 
section identifies the systems of records that are exempt from 
disclosure and the basis for their exemption. In general such systems 
contain Office of Inspector General (OIG) investigatory materials, 
Equal Employment Opportunity records, personnel records, and litigation 
records that contain personally identifiable criminal, investigative, 
and financial information. The exemption of these systems will help 
protect the investigative process, information sources, and classified 
information.
    Section 102.40--Computer matching agreements this section 
establishes that SBA may not disclose information on an individual for 
use in a computer matching program unless the Agency has entered into a 
written agreement governing the use of the information with the 
recipient of such information. Among other things, matching agreements 
must specify the purpose, legal authority, description and approximate 
number of records, estimate of savings, procedures for individualized 
notice, information verification, record retention and security, 
prohibitions on duplication and re-disclosure, assessments on record 
accuracy, and record access by the Comptroller General. Copies of all 
matching agreements must be provided to appropriate Congressional 
committees.
    This section also establishes a Data Integrity Board to oversee and 
coordinate the matching programs, approve and maintain all written 
agreements, and if OMB requests, compile a report on SBA's matching 
activities that will be available to the public. Finally, this section 
sets forth the process for filing an appeal with OMB of any matching 
agreement the Data Integrity Board disapproves. OMB may approve such a 
matching agreement, if it finds that the program will be consistent 
with all applicable legal, regulatory and policy requirements, is cost-
effective and is in the public interest. If the Board and OMB 
disapprove a matching program proposed by OIG, the IG may report such 
disapproval to the Administrator and to Congress.
    Section 102.41--Other provisions this section explains that SBA 
personnel records are maintained in accordance with Office of Personnel 
Management regulations, describes the conditions for disclosing an 
individual's medical records, and notifies individuals that SBA will 
not profit from the sale of an individual's name or address.

Compliance With Executive Orders 12866, 12988, and 13132, the 
Regulatory Flexibility Act (5 U.S.C. 601-612), and the Paperwork 
Reduction Act (44 U.S.C. Ch. 35)

Executive Order 12866

    The Office of Management and Budget has determined that this rule 
does not constitute a significant regulatory action within the meaning 
of Executive Order 12866. This rule merely makes SBA's Privacy Act 
program more compliant with current law and facilitates greater public 
understanding of why personal information is collected, how that 
information will be used and shared, how it may be accessed, and 
securely stored.

Executive Order 12988

    This rule meets the applicable standards set forth in Sec. Sec.  
3(a) and (3)(b)(2) of Executive Order 12988, to minimize litigation, 
eliminate ambiguity, and reduce burden. This rule would not have 
retroactive or preemptive effect.

Executive Order 13132

    This rule would not have substantial direct effects on the States, 
on the relationship between the national government and the States, or 
on the distribution of power and responsibilities among the various 
levels of government. Therefore, for purposes of Executive Order 13132, 
SBA has determined that this rule does not have sufficient federalism 
implications to warrant the preparation of a Federalism Assessment.

Paperwork Reduction Act

    For the purpose of the Paperwork Reduction Act, 44 U.S.C. Ch. 35, 
SBA has determined that this rule will not impose any new reporting or 
record keeping requirements.

Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) requires administrative 
agencies to consider the effect of their actions on small entities, 
small non-profit enterprises, and small local governments. The RFA 
requires agencies to prepare an analysis which describes the impact of 
each rule on such entities. However, in lieu of preparing an analysis, 
section 605 of the RFA allows an agency to certify that the rulemaking 
is not expected to have a significant economic impact on a substantial 
number of small entities. This rule concerns the rights of individuals 
under the Privacy Act and outlines the responsibilities of the Agency 
to ensure that information it collects on those individuals is used and 
maintained in a manner that ensures its confidentiality. An individual 
is not a small entity as defined in the RFA. Furthermore, the Privacy 
Act does not concern small entities. Accordingly, SBA certifies that 
this rule will not have a significant economic impact on a substantial 
number of small entities.

List of Subjects in 13 CFR Part 102

    Freedom of information, Privacy.

0
For the reasons stated in the preamble, the Small Business 
Administration amends 13 CFR Chapter I, part 102, as follows:

PART 102--RECORD DISCLOSURE AND PRIVACY

0
1. The authority citation for part 102 is revised to read as follows:

    Authority: 5 U.S.C. 301, 552, 552a; 31 U.S.C. 9701; 44 U.S.C. 
3501, et seq., E.O. 12600, 52 FR 23781, 3 CFR, 187 Comp., p. 235.

[[Page 17369]]

0
2. Revise subpart B of part 102 to read as follows:

Subpart B--Protection of Privacy and Access to Individual Records 
Under the Privacy Act of 1974

Sec.
102.20 General provisions.
102.21 Agency officials responsible for the Privacy Act of 1974.
102.22 Requirements relating to systems of records.
102.23 Publication in the Federal Register--Notices of systems of 
records.
102.24 Requests for access to records.
102.25 Responsibility for responding to requests for access to 
records.
102.26 Responses to requests for access to records.
102.27 Appeals from denials of requests for access to records.
102.28 Requests for amendment or correction of records.
102.29 Requests for an accounting of record disclosures.
102.30 Preservation of records.
102.31 Fees.
102.32 Notice of court-ordered and emergency disclosures.
102.33 Security of systems of records.
102.34 Contracts for the operation of record systems.
102.35 Use and collection of Social Security Numbers.
102.36 Privacy Act standards of conduct.
102.37 Training requirements.
102.38 Other rights and services.
102.39 SBA's exempt Privacy Act systems of records.
102.40 Computer matching.
102.41 Other provisions.

Subpart B--Protection of Privacy and Access to Individual Records 
Under the Privacy Act of 1974


Sec.  102.20  General provisions.

    (a) Purpose and scope. This subpart implements the provisions of 
the Privacy Act of 1974, 5 U.S.C. 552a. These regulations apply to all 
records which are contained in systems of records maintained by the 
U.S. Small Business Administration (SBA) and that are retrieved by an 
individual's name or personal identifier. These regulations set forth 
the procedures by which individuals may request access to records about 
themselves, request amendment or correction of those records, and 
request an accounting of disclosures of those records by the SBA. These 
regulations also set forth the requirements applicable to SBA employees 
maintaining, collecting, using or disseminating records pertaining to 
individuals. This subpart applies to SBA and all of its offices and is 
mandatory for use by all SBA employees.
    (b) Definitions. As used in this subpart:
    (1) Agency means the U.S. Small Business Administration (SBA) and 
includes all of its offices wherever located;
    (2) Employee means any employee of the SBA, regardless of grade, 
status, category or place of employment;
    (3) Individual means a citizen of the United States or an alien 
lawfully admitted for permanent residence. This term shall not 
encompass entrepreneurial enterprises (e.g. sole proprietors, 
partnerships, corporations, or other forms of business entities);
    (4) Maintain includes maintain, collect, use, or disseminate;
    (5) Record means any item, collection, or grouping of information 
about an individual that is maintained by the SBA, including, but not 
limited to education, financial transactions, medical history, and 
criminal or employment history and that contains the individual's name, 
or an identifying number, symbol, or other identifying particular 
assigned to the individual such as a finger or voice print or 
photograph;
    (6) System of records means a group of any records under the 
control of SBA from which information is retrieved by the name of the 
individual or by an identifying number, symbol, or other identifying 
particular assigned to the individual;
    (7) Statistical record means a record in a system of records 
maintained for statistical research or reporting purposes only and not 
used in whole or in part in making any determination about an 
identifiable individual;
    (8) Routine use means, with respect to the disclosure of a record, 
the use of such record for a purpose which is compatible with the 
purpose for which it was collected;
    (9) Request for access to a record means a request made under 
Privacy Act subsection (d)(1) allowing an individual to gain access to 
his or her record or to any information pertaining to him or her which 
is contained in a system of records;
    (10) Request for amendment or correction of a record means a 
request made under Privacy Act subsection (d)(2), permitting an 
individual to request amendment or correction of a record that he or 
she believes is not accurate, relevant, timely, or complete;
    (11) Request for an accounting means a request made under Privacy 
Act subsection (c)(3) allowing an individual to request an accounting 
of any disclosure to any SBA officers and employees who have a need for 
the record in the performance of their duties;
    (12) Requester is an individual who makes a request for access, a 
request for amendment or correction, or a request for an accounting 
under the Privacy Act; and
    (13) Authority to request records for a law enforcement purpose 
means that the head of an Agency or a United States Attorney, or 
either's designee, is authorized to make written requests under 
subsection (b)(7) of the Privacy Act for records maintained by other 
agencies that are necessary to carry out an authorized law enforcement 
activity.


Sec.  102.21  Agency employees responsible for the Privacy Act of 1974.

    (a) Program/Support Office Head is the SBA employee in each field 
office and major program and support area responsible for implementing 
and overseeing this regulation in that office.
    (b) Privacy Act Systems Manager (PASM) is the designated SBA 
employee in each office responsible for the development and management 
of any Privacy Act systems of records in that office.
    (c) Senior Agency Official for Privacy is SBA's Chief Information 
Officer (CIO) who has overall responsibility and accountability for 
ensuring the SBA's implementation of information privacy protections, 
including the SBA's full compliance with Federal laws, regulations, and 
policies relating to information privacy such as the Privacy Act and 
the E-Government Act of 2002.
    (d) Chief, Freedom of Information/Privacy Acts (FOI/PA) Office 
oversees and implements the record access, amendment, and correction 
provisions of the Privacy Act.


Sec.  102.22  Requirements relating to systems of records.

    (a) In general. Each SBA office shall, in accordance with the 
Privacy Act:
    (1) Maintain in its records only such information about an 
individual as is relevant and necessary to accomplish a purpose of the 
Agency required to be accomplished by a statute or by Executive Order 
of the President;
    (2) Collect information to the greatest extent practicable directly 
from the subject individual when the information may affect an 
individual's rights, benefits, and privileges under Federal programs;
    (b) Requests for information from individuals. If a form is being 
used to collect information from individuals, either the form used to 
collect the information, or a separate form that can be retained by the 
individual, must state the following:
    (1) The authority (whether granted by statute, or by Executive 
Order of the

[[Page 17370]]

President) which authorizes the solicitation of the information and 
whether disclosure of such information is mandatory or voluntary;
    (2) The principal purpose or purposes for which the information is 
intended to be used;
    (3) The routine uses which may be made of the information; and
    (4) The effects on such individual, if any, of not providing all or 
any part of the requested information.
    (c) Report on new systems. Each SBA office shall provide adequate 
advance notice to Congress and OMB through the FOI/PA Office of any 
proposal to establish or alter any system of records in order to permit 
an evaluation of the probable or potential effect of such proposal on 
the privacy and other personal or property rights of individuals or the 
disclosure of information relating to such individuals.
    (d) Accurate and secure maintenance of records. Each SBA office 
shall:
    (1) Maintain all records which are used in making any determination 
about any individual with such accuracy, relevance, timeliness, and 
completeness as is reasonably necessary to assure fairness to the 
individual in the determination;
    (2) Prior to disseminating any record from a system of records 
about an individual to any requestor, including an agency, make 
reasonable efforts to assure that such records are accurate, complete, 
timely, and relevant for SBA purposes; and
    (3) Establish appropriate administrative, technical, and physical 
safeguards to insure the security and confidentiality of records and to 
protect against any anticipated threats or hazards to their security or 
integrity which could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any individual on whom information is 
maintained.
    (i) PASMs, with the approval of the head of their offices, shall 
establish administrative and physical controls, consistent with SBA 
regulations, to insure the protection of records systems from 
unauthorized access or disclosure and from physical damage or 
destruction. The controls instituted shall be proportional to the 
degree of sensitivity of the records but at a minimum must ensure that 
records other than those available to the general public under the 
FOIA, are protected from public view, that the area in which the 
records are stored is supervised during all business hours and 
physically secured during non-business hours to prevent unauthorized 
personnel from obtaining access to the records.
    (ii) PASMs, with the approval of the head of their offices, shall 
adopt access restrictions to insure that only those individuals within 
the agency who have a need to have access to the records for the 
performance of their duties have access to them. Procedures shall also 
be adopted to prevent accidental access to, or dissemination of, 
records.
    (e) Prohibition against maintenance of records concerning First 
Amendment rights. No SBA office shall maintain a record describing how 
any individual exercises rights guaranteed by the First Amendment (e.g. 
speech), unless the maintenance of such record is:
    (1) Expressly authorized by statute, or
    (2) Expressly authorized by the individual about whom the record is 
maintained, or
    (3) Pertinent to and within the scope of an authorized law 
enforcement activity.


Sec.  102.23  Publication in the Federal Register--Notices of systems 
of records.

    (a) Notices of systems of records to be published in the Federal 
Register. (1) The SBA shall publish in the Federal Register upon 
establishment or revision a notice of the existence and character of 
any new or revised systems of records. Unless otherwise instructed, 
each notice shall include:
    (i) The name and location of the system;
    (ii) The categories of individuals on who records are maintained in 
the system;
    (iii) The categories of records maintained in the system;
    (iv) Each routine use of the records contained in the system, 
including the categories of users and the purpose of such use;
    (v) The policies and practices of the office regarding storage, 
retrievability, access controls, retention, and disposal of the 
records;
    (vi) The title and business address of the SBA official who is 
responsible for the system of records;
    (vii) A statement that SBA procedures allow an individual, at his 
or her request, to determine whether a system of records contains a 
record pertaining to him or her, to review such records and to contest 
or amend such records, located in sections 102.25 through 102.29 of 
these regulations.
    (viii) A statement that such requests may be directed to the SBA's 
FOI/PA Office, 409 3rd St., SW., Washington, DC 20416 or faxed to 202-
205-7059; and
    (ix) The categories of sources of records in the system.
    (2) Minor changes to systems of records shall be published 
annually.
    (b) Notice of new or modified routine uses to be published in the 
Federal Register. At least 30 days prior to disclosing records pursuant 
to a new use or modification of a routine use, as published under 
paragraph (a)(1)(iv) of this section, each SBA office shall publish in 
the Federal Register notice of such new or modified use of the 
information in the system and provide an opportunity for any individual 
or persons to submit written comments.


Sec.  102.24  Requests for access to records.

    (a) How made and addressed. An individual, or his or her legal 
guardian, may make a request for access to an SBA record about himself 
or herself by appearing in person or by writing directly to the SBA 
office that maintains the record or to the FOI/PA Office by mail to 409 
3rd St., SW., Washington, DC 20416 or fax to 202-205-7059. A request 
received by the FOI/PA Office will be forwarded to the appropriate SBA 
Office where the records are located.
    (b) Description of records sought. A request for access to records 
must describe the records sought in sufficient detail to enable SBA 
personnel to locate the system of records containing them with a 
reasonable amount of effort. A request should also state the date of 
the record or time period in which the record was compiled, and the 
name or identifying number of each system of records in which the 
requester believes the record is kept. The SBA publishes notices in the 
Federal Register that describe its systems of records. A description of 
the SBA's systems of records also may be found at http://www.sba.gov/foia/systemrecords.doc.
    (c) Verification of identity. Any individual who submits a request 
for access to records must verify his or her identity. No specific form 
is required; however, the requester must state his or her full name, 
current address, and date and place of birth. The request must be 
signed and the requester's signature must either be notarized or 
submitted under 28 U.S.C. 1746. This law permits statements to be made 
under penalty of perjury as a substitute for notarization, the language 
states:
    (1) If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). Signature''; or
    (2) If executed within the Untied States, its territories, 
possessions or commonwealths: ``I declare (or certify, verify, or 
state) under penalty of perjury that the foregoing is true and correct. 
Executed on (date). Signature''.

[[Page 17371]]

    (d) Verification of guardianship. When making a request as a legal 
agent or the parent or guardian of a minor or as the guardian of 
someone determined by a court to be incompetent, for access to records 
about that individual, the requester must establish:
    (1) The identity of the individual who is the subject of the 
record, by stating the name, current address, date and place of birth, 
and, at the requester's option, the social security number of the 
individual;
    (2) The requester's own identity, as required in paragraph (c) of 
this section;
    (3) That the requester is the legal agent or parent or guardian of 
that individual, which may be proven by providing a copy of the 
individual's birth certificate showing his parentage or by providing a 
court order establishing guardianship; and
    (4) That the requester is acting on behalf of that individual in 
making the request.


Sec.  102.25  Responsibility for responding to requests for access to 
records.

    (a) In general. Except as stated in paragraphs (c), (d), and (e) of 
this section and in Sec.  102.24(a), the office that first receives a 
request for access to a record, and has possession of that record, is 
the office responsible for responding to the request. That office shall 
acknowledge receipt of the request not later than 10 days (excluding 
Saturdays, Sundays, and legal public holidays) after the date of 
receipt of the request in writing. In determining which records are 
responsive to a request, an office ordinarily shall include only those 
records in its possession as of the date the office begins its search 
for them. If any other date is used, the office shall inform the 
requester of that date.
    (b) Authority to grant or deny requests. The Program/Support Office 
Head, or designee, is authorized to grant or deny any request for 
access to a record of that office.
    (c) Consultations and referrals. When an office receives a request 
for access to a record in its possession, it shall determine whether 
another office, or another agency of the Federal Government, is better 
able to determine whether the record is exempt from access under the 
Privacy Act. If the receiving office determines that it is best able to 
process the record in response to the request, then it shall do so. If 
the receiving office determines that it is not best able to process the 
record, then it shall either:
    (1) Respond to the request regarding that record, after consulting 
with the office or agency best able to determine whether the record is 
exempt from access and with any other office or agency that has a 
substantial interest in it; or
    (2) Refer the responsibility for responding to the request to the 
office best able to determine whether the record is exempt from access 
or to another agency that originated the record (but only if that 
agency is subject to the Privacy Act). Ordinarily the office or agency 
that originated a record will be presumed to be best able to determine 
whether it is exempt from access.
    (d) Law enforcement information. Whenever a request is made for 
access to a record containing information that relates to an 
investigation of a possible violation of law and that was originated by 
SBA's Office of the Inspector General (OIG) or another agency, the 
receiving office shall refer the responsibility for responding to the 
request regarding that information to either SBA's OIG or the other 
agency ``depending on where the investigation originated.''
    (e) Classified information. Whenever a request is made for access 
to a record containing information that has been classified by or may 
be appropriate for classification by another office or agency under 
Executive Order 12958 or any other executive order concerning the 
classification of records, the receiving office shall refer the 
responsibility for responding to the request regarding that information 
to the office or agency that classified the information, should 
consider the information for classification, or has the primary 
interest in it, as appropriate. Whenever a record contains information 
that has been derivatively classified by an office because it contains 
information classified by another office or agency, the office shall 
refer the responsibility for responding to the request regarding that 
information to the office or agency that classified the underlying 
information. Information determined to no longer require classification 
shall not be withheld from a requester on the basis of Exemption (k)(1) 
of the Privacy Act.
    (f) Notice of referral. Whenever an office refers all or any part 
of the responsibility for responding to a request to another office or 
agency, it shall notify the requester of the referral and inform the 
requester of the name of each office or agency to which the request has 
been referred and of the part of the request that has been referred.
    (g) Responses to consultations and referrals. All consultations and 
referrals shall be processed according to the date the access request 
was initially received by the first office or agency, not any later 
date.
    (h) Agreements regarding consultations and referrals. Offices may 
make agreements with other offices or agencies to eliminate the need 
for consultations or referrals for particular types of records.


Sec.  102.26  Responses to requests for access to records.

    (a) Acknowledgements of requests. On receipt of a request, an 
office shall send an acknowledgement letter to the requester.
    (b) Grants of requests for access. Once an office makes a 
determination to grant a request for access in whole or in part, it 
shall notify the requester in writing. The Program/Support Office Head 
or designee shall inform the requester in the notice of any fee charged 
under Sec.  102.31 and shall disclose records to the requester promptly 
on payment of any applicable fee. If a request is made in person, the 
office may disclose records to the requester directly, in a manner not 
unreasonably disruptive of its operations, on payment of any applicable 
fee and with a written record made of the grant of the request. If a 
requester is accompanied by another person, he or she shall be required 
to authorize in writing any discussion of the records in the presence 
of the other person.
    (c) Adverse determinations of requests for access. A Program/
Support Office Head or designee making an adverse determination denying 
a request for access in any respect shall notify the requester of that 
determination in writing. Adverse determinations, or denials of 
requests, consist of: a determination to withhold any requested record 
in whole or in part; a determination that a requested record does not 
exist or cannot be located; a determination that the requested 
information is not a record subject to the Privacy Act; a determination 
on any disputed fee matter; and a denial of a request for expedited 
treatment. The notification letter shall be signed by the Program/
Support Office Head or designee, and shall include:
    (1) The name and title or position of the person responsible for 
the denial;
    (2) A brief statement of the reason(s) for the denial, including 
any FOIA or Privacy Act exemption(s) applied in denying the request; 
and
    (3) A statement that the denial may be appealed under Sec.  
102.27(a) and a description of the requirements of Sec.  102.27(a).

[[Page 17372]]

Sec.  102.27  Appeals from denials of requests for access to records.

    (a) Appeals. If the requester is dissatisfied with an office's 
response to his or her request for access to records, the requester may 
make a written appeal of the adverse determination denying the request 
in any respect to the SBA's FOI/PA Office, 409 3rd St., SW., 
Washington, DC 20416. The appeal must be received by the FOI/PA Office 
within 60 days of the date of the letter denying the request. The 
requester's appeal letter should include as much information as 
possible, including the identity of the office whose adverse 
determination is being appealed. Unless otherwise directed, the Chief, 
FOI/PA will decide all appeals under this subpart.
    (b) Responses to appeals. The decision on a requester's appeal will 
be made in writing not later than 30 days (excluding Saturdays, 
Sundays, and legal public holidays) after the date of receipt of such 
appeal. A decision affirming an adverse determination in whole or in 
part will include a brief statement of the reason(s) for the 
affirmation, including any Privacy Act exemption applied, and will 
inform the requester of the Privacy Act provisions for court review of 
the decision. If the adverse determination is reversed or modified on 
appeal in whole or in part, the requester will be notified in a written 
decision and his request will be reprocessed in accordance with that 
appeal decision.
    (c) Judicial review. In order to seek judicial review by a court of 
any adverse determination or denial of a request, a requester must 
first appeal it to the FOI/PA Office under this section.


Sec.  102.28  Requests for amendment or correction of records.

    (a) How made and addressed. Unless the record is not subject to 
amendment or correction as stated in paragraph (f) of this section, an 
individual may make a request for amendment or correction of an SBA 
record about himself or herself by writing directly to the office that 
maintains the record, following the procedures in Sec.  102.24. The 
request should identify each particular record in question, state the 
amendment or correction sought, and state why the record is not 
accurate, relevant, timely, or complete. The requester may submit any 
documentation that he or she thinks would be helpful. If the requester 
believes that the same record is in more than one system of records, 
that should be stated and the request should be sent to each office 
that maintains a system of records containing the record.
    (b) Office responses. Within ten (10) days (excluding Saturdays, 
Sundays, and legal public holidays) of receiving a request for 
amendment or correction of records, an office shall send the requester 
a written acknowledgment of receipt, and the office shall notify the 
requester within 30 days (excluding Saturdays, Sundays, and legal 
public holidays) of receipt of the request whether it is granted or 
denied. If the Program/Support Office Head or designee grants the 
request in whole or in part, the amendment or correction must be made, 
and the requester advised of his or her right to obtain a copy of the 
corrected or amended record. If the office denies a request in whole or 
in part, it shall send the requester a letter signed by the Program/
Support Office Head or designee that shall state:
    (1) The reason(s) for the denial; and
    (2) The procedure for appeal of the denial under paragraph (c) of 
this section, including the name and business address of the official 
who will act on your appeal.
    (c) Appeals. An individual may appeal a denial of a request for 
amendment or correction to the FOI/PA Office in the same manner as a 
denial of a request for access to records (see Sec.  102.27), and the 
same procedures shall be followed. If the appeal is denied, the 
requester shall be advised of his or her right to file a Statement of 
Disagreement as described in paragraph (d) of this section and of his 
or her right under the Privacy Act for court review of the decision.
    (d) Statement of Disagreement. If an appeal under this section is 
denied in whole or in part, the requester has the right to file a 
Statement of Disagreement that states the reason(s) for disagreeing 
with the SBA's denial of his or her request for amendment or 
correction. A Statement of Disagreement must be concise, must clearly 
identify each part of any record that is disputed, and should be no 
longer than one typed page for each fact disputed. An individual's 
Statement of Disagreement must be sent to the office that maintains the 
record involved, which shall place it in the system of records in which 
the disputed record is maintained and shall mark the disputed record to 
indicate that a Statement of Disagreement has been filed and where in 
the system of records it may be found.
    (e) Notification of amendment/correction or disagreement. Within 30 
days (excluding Saturdays, Sundays, and legal public holidays) of the 
amendment or correction of a record, the office that maintains the 
record shall notify all persons, organizations, or agencies to which it 
previously disclosed the record, if an accounting of that disclosure 
was made, that the record has been amended or corrected. If an 
individual has filed a Statement of Disagreement, the office shall 
append a copy of it to the disputed record whenever the record is 
disclosed and may also append a concise statement of its reason(s) for 
denying the request to amend or correct the record.
    (f) Records not subject to amendment or correction. The following 
records are not subject to amendment or correction:
    (1) Transcripts of testimony given under oath or written statements 
made under oath;
    (2) Transcripts of grand jury proceedings, judicial proceedings, or 
quasi-judicial proceedings, which are the official record of those 
proceedings;
    (3) Pre-sentence records that originated with the courts; and
    (4) Records in systems of records that have been exempted from 
amendment and correction under Privacy Act, 5 U.S.C. 552a (j) or (k) by 
notice published in the Federal Register.


Sec.  102.29  Requests for an accounting of record disclosures.

    (a) How made and addressed. Except where accountings of disclosures 
are not required to be kept (as stated in paragraph (b) of this 
section), an individual may make a request for an accounting of any 
disclosure that has been made by the SBA to another person, 
organization, or agency of any record in a system of records about him 
or her. This accounting contains the date, nature, and purpose of each 
disclosure, as well as the name and address of the person, 
organization, or agency to which the disclosure was made. The request 
for an accounting should identify each particular record in question 
and should be made by writing directly to the SBA office that maintains 
the record, following the procedures in Sec.  102.24.
    (b) Where accountings are not required. Offices are not required to 
provide accountings where they relate to:
    (1) Disclosures for which accountings are not required to be kept; 
disclosures that are made to employees within the SBA and disclosures 
that are made under the FOIA;
    (2) Disclosures made to law enforcement agencies for authorized law 
enforcement activities in response to written requests from those law 
enforcement agencies specifying the civil or criminal law enforcement 
activities for which the disclosures are sought; or

[[Page 17373]]

    (3) Disclosures made from law enforcement systems of records that 
have been exempted from accounting requirements under Privacy Act, 5 
U.S.C. 552a(j) or (k) by notice published in the Federal Register.
    (c) Appeals. An individual may appeal a denial of a request for an 
accounting to the FOI/PA Office in the same manner as a denial of a 
request for access to records (see Sec.  102.27), and the same 
procedures will be followed.


Sec.  102.30  Preservation of records.

    Each office will preserve all correspondence pertaining to the 
requests that it receives under this subpart, as well as copies of all 
requested records, until disposition or destruction is authorized by 
title 44 of the United States Code or the National Archives and Records 
Administration's General Records Schedule 14. Records will not be 
disposed of while they are the subject of a pending request, appeal, or 
lawsuit under the Privacy Act.


Sec.  102.31  Fees.

    SBA offices shall charge fees for duplication of records under the 
Privacy Act in the same way in which they charge duplication fees under 
Sec.  102.6(b)(3). No search or review fee may be charged for any 
record unless the record has been exempted from access under Exemptions 
(j)(2) or (k)(2) of the Privacy Act. SBA will waive fees under $25.00.


Sec.  102.32  Notice of court-ordered and emergency disclosures.

    (a) Court-ordered disclosures. When a record pertaining to an 
individual is required to be disclosed by order of a court of competent 
jurisdiction, the office that maintains the record shall make 
reasonable efforts to provide notice of this to the individual. Notice 
shall be given within a reasonable time after the office's receipt of 
the order, except that in a case in which the order is not a matter of 
public record, the notice shall be given only after the order becomes 
public. This notice shall be mailed to the individual's last known 
address and shall contain a copy of the order and a description of the 
information disclosed. Notice shall not be given if disclosure is made 
from a criminal law enforcement system of records that has been 
exempted from the notice requirement.
    (b) Emergency disclosures. Upon disclosing a record pertaining to 
an individual made under compelling circumstances affecting health or 
safety, the office shall notify that individual of the disclosure. This 
notice shall be mailed to the individual's last known address and shall 
state the nature of the information disclosed; the person, 
organization, or agency to which it was disclosed; the date of 
disclosure; and the compelling circumstances justifying the disclosure.


Sec.  102.33  Security of systems of records.

    (a) Each Program/Support Office Head or designee shall establish 
administrative and physical controls to prevent unauthorized access to 
its systems of records, to prevent unauthorized disclosure of records, 
and to prevent physical damage to or destruction of records. The 
stringency of these controls shall correspond to the sensitivity of the 
records that the controls protect. At a minimum, each office's 
administrative and physical controls shall ensure that:
    (1) Records are protected from public view;
    (2) The area in which records are kept is supervised during 
business hours to prevent unauthorized persons from having access to 
them;
    (3) Records are inaccessible to unauthorized persons outside of 
business hours; and
    (4) Records are not disclosed to unauthorized persons or under 
unauthorized circumstances in either oral or written form.
    (b) Each Program/Support Office Head or designee shall establish 
procedures that restrict access to records to only those individuals 
within the SBA who must have access to those records in order to 
perform their duties and that prevent inadvertent disclosure of 
records.
    (c) The OCIO shall provide SBA offices with guidance and assistance 
for privacy and security of electronic systems and compliance with 
pertinent laws and requirements.


Sec.  102.34  Contracts for the operation of record systems.

    When SBA contracts for the operation or maintenance of a system of 
records or a portion of a system of records by a contractor, the record 
system or the portion of the record affected, are considered to be 
maintained by the SBA, and subject to this subpart. The SBA is 
responsible for applying the requirements of this subpart to the 
contractor. The contractor and its employees are to be considered 
employees of the SBA for purposes of the sanction provisions of the 
Privacy Act during performance of the contract.


Sec.  102.35  Use and collection of Social Security Numbers.

    Each Program/Support Office Head or designee shall ensure that 
collection and use of SSN is performed only when the functionality of 
the system is dependant on use of the SSN as an identifier. Employees 
authorized to collect information must be aware:
    (a) That individuals may not be denied any right, benefit, or 
privilege as a result of refusing to provide their social security 
numbers, unless:
    (1) The collection is authorized either by a statute; or
    (2) The social security numbers are required under statute or 
regulation adopted prior to 1975 to verify the identity of an 
individual; and
    (b) That individuals requested to provide their social security 
numbers must be informed of:
    (1) Whether providing social security numbers is mandatory or 
voluntary;
    (2) Any statutory or regulatory authority that authorizes the 
collection of social security numbers; and
    (3) The uses that will be made of the numbers.


Sec.  102.36  Privacy Act standards of conduct.

    Each Program/Support Office Head or designee shall inform its 
employees of the provisions of the Privacy Act, including its civil 
liability and criminal penalty provisions. Unless otherwise permitted 
by law, an employee of the SBA shall:
    (a) Collect from individuals only the information that is relevant 
and necessary to discharge the responsibilities of the SBA;
    (b) Collect information about an individual directly from that 
individual whenever practicable;
    (c) Inform each individual from whom information is collected of:
    (1) The legal authority to collect the information and whether 
providing it is mandatory or voluntary;
    (2) The principal purpose for which the SBA intends to use the 
information;
    (3) The routine uses the SBA may make of the information; and
    (4) The effects on the individual, if any, of not providing the 
information;
    (d) Ensure that the office maintains no system of records without 
public notice and that it notifies appropriate SBA officials of the 
existence or development of any system of records that is not the 
subject of a current or planned public notice;
    (e) Maintain all records that are used by the SBA in making any 
determination about an individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to the individual in the determination;
    (f) Except as to disclosures made to an agency or made under the 
FOIA, make reasonable efforts, prior to

[[Page 17374]]

disseminating any record about an individual, to ensure that the record 
is accurate, relevant, timely, and complete;
    (g) Maintain no record describing how an individual exercises his 
or her First Amendment rights, unless it is expressly authorized by 
statute or by the individual about whom the record is maintained, or is 
pertinent to and within the scope of an authorized law enforcement 
activity;
    (h) When required by the Privacy Act, maintain an accounting in the 
specified form of all disclosures of records by the SBA to persons, 
organizations, or agencies;
    (i) Maintain and use records with care to prevent the unauthorized 
or inadvertent disclosure of a record to anyone; and
    (j) Notify the appropriate SBA official of any record that contains 
information that the Privacy Act does not permit the SBA to maintain.


Sec.  102.37  Training requirements.

    All employees should attend privacy training within one year of 
employment with SBA. All employees with Privacy Act responsibilities 
must attend Privacy Act training, whenever needed, that is offered by 
the SBA.


Sec.  102.38  Other rights and services.

    Nothing in this subpart shall be construed to entitle any person, 
as a right, to any service or to the disclosure of any record to which 
such person is not entitled under the Privacy Act.


Sec.  102.39  SBA's exempt Privacy Act systems of records.

    (a) Systems of records subject to investigatory material exemption 
under 5 U.S.C. 552a(k)(2), or 5 U.S.C. 552a(k)(5) or both:
    (1) Office of Inspector General Records Other Than Investigation 
Records--SBA 4, contains records pertaining to audits, evaluations, and 
other non-audit services performed by the OIG;
    (2) Equal Employment Opportunity Complaint Cases--SBA 13, contains 
complaint files, Equal Employment Opportunity counselor's reports, 
investigation materials, notes, reports, and recommendations;
    (3) Investigative Files--SBA 16, contains records gathered by the 
OIG in the investigation of allegations that are within the 
jurisdiction of the OIG;
    (4) Investigations Division Management Information System--SBA 17, 
contains records gathered or created during preparation for, conduct 
of, and follow-up on investigations conducted by the OIG, the Federal 
Bureau of Investigation (FBI), and other Federal, State, local, or 
foreign regulatory or law enforcement agency;
    (5) Litigation and Claims Files--SBA 19, contains records relating 
to recipients classified as ``in litigation'' and all individuals 
involved in claims by or against the Agency;
    (6) Personnel Security Files--SBA 24, contains records on active 
and inactive personnel security files, employee or former employee's 
name, background information, personnel actions, OPM, and/or authorized 
contracting firm background investigations;
    (7) Security and Investigations Files--SBA 27, contains records 
gathered or created during preparation for, conduct of, and follow-up 
on investigations conducted by OIG, the FBI, and other Federal, State, 
local, or foreign regulatory or law enforcement agencies as well as 
other material submitted to or gathered by OIG in furtherance of its 
investigative function; and
    (8) Standards of Conduct Files--SBA 29, contains records on 
confidential employment and financial statements of employees Grade 13 
and above.
    (b) These systems of records are exempt from the following 
provisions of the Privacy Act and all regulations in this part 
promulgated under these provisions:
    (1) 552a(c)(3) (Accounting of Certain Disclosures);
    (2) 552a(d) (Access to Records);
    (3) 552a(e)(1), 4G, H, and I (Agency Requirements); and
    (4) 552a(f) (Agency Rules).
    (c) The systems of records described in paragraph (a) of this 
section are exempt from the provisions of the Privacy Act described in 
paragraph (b) of this section in order to:
    (1) Prevent the subject of investigations from frustrating the 
investigatory process;
    (2) Protect investigatory material compiled for law enforcement 
purposes;
    (3) Fulfill commitments made to protect the confidentiality of 
sources and to maintain access to necessary sources of information; or
    (4) Prevent interference with law enforcement proceedings.
    (d) In addition to the foregoing exemptions in paragraphs (a) 
through (c) of this section, the systems of records described in 
paragraph (a) of this section numbered SBA 4, 16, 17, 24, and 27 are 
exempt from the Privacy Act except for subsections (b), (c)(1) and (2), 
(e)(4)(A) through F, (e)(6), (7), (9), (10) and (11) and (i) to the 
extent that they contain:
    (1) Information compiled to identify individual criminal offenders 
and alleged offenders and consisting only of identifying data and 
notations of arrests, confinement, release, and parole and probation 
status;
    (2) Information, including reports of informants and investigators, 
associated with an identifiable individual compiled to investigate 
criminal activity; or
    (3) Reports compiled at any stage of the process of enforcement of 
the criminal laws from arrest or indictment through release from 
supervision associated with an identifiable individual.
    (e) The systems of records described in paragraph (d) of this 
section are exempt from the Privacy Act to the extent described in that 
paragraph because they are records maintained by the Investigations 
Division of the OIG, which is a component of SBA which performs as its 
principal function activities pertaining to the enforcement of criminal 
laws within the meaning of 5 U.S.C. 552a(j)(2). They are exempt in 
order to:
    (1) Prevent the subjects of OIG investigations from using the 
Privacy Act to frustrate the investigative process;
    (2) Protect the identity of Federal employees who furnish a 
complaint or information to the OIG, consistent with section 7(b) of 
the Inspector General Act of 1978, 5 U.S.C. app. 3;
    (3) Protect the confidentiality of other sources of information;
    (4) Avoid endangering confidential sources and law enforcement 
personnel;
    (5) Prevent interference with law enforcement proceedings;
    (6) Assure access to sources of confidential information, including 
that contained in Federal, State, and local criminal law enforcement 
information systems;
    (7) Prevent the disclosure of investigative techniques; or
    (8) Prevent the disclosure of classified information.


Sec.  102.40  Computer matching.

    The OCIO will enforce the computer matching provisions of the 
Privacy Act. The FOI/PA Office will review and concur on all computer 
matching agreements prior to their activation and/or renewal.
    (a) Matching agreements. SBA will comply with the Computer Matching 
and Privacy Protection Act of 1988 (5 U.S.C. 552a(o), 552a notes) . The 
Privacy Protection Act establishes procedures Federal agencies must use 
if they want to match their computer lists. SBA shall not disclose any 
record which is contained in a system of records to a recipient agency 
or non-Federal agency for use in a computer matching program except 
pursuant to a written agreement

[[Page 17375]]

between SBA and the recipient agency or non-Federal agency specifying:
    (1) The purpose and legal authority for conducting the program;
    (2) The justification for the purpose and the anticipated results, 
including a specific estimate of any savings;
    (3) A description of the records that will be matched, including 
each data element that will be used, the approximate number of records 
that will be matched, and the projected starting and completion dates 
of the matching program;
    (4) Procedures for providing individualized notice at the time of 
application, and periodically thereafter as directed by the Data 
Integrity Board, that any information provided by any of the above may 
be subject to verification through matching programs to:
    (i) Applicants for and recipients of financial assistance or 
payments under Federal benefit programs, and
    (ii) Applicants for and holders of positions as Federal personnel.
    (5) Procedures for verifying information produced in such matching 
program as required by paragraph (c) of this section.
    (6) Procedures for the retention and timely destruction of 
identifiable records created by a recipient agency or non-Federal 
agency in such matching program;
    (7) Procedures for ensuring the administrative, technical, and 
physical security of the records matched and the results of such 
programs;
    (8) Prohibitions on duplication and redisclosure of records 
provided by SBA within or outside the recipient agency or non-Federal 
agency, except where required by law or essential to the conduct of the 
matching program;
    (9) Procedures governing the use by a recipient agency or non-
Federal agency of records provided in a matching program by SBA, 
including procedures governing return of the records to SBA or 
destruction of records used in such programs;
    (10) Information on assessments that have been made on the accuracy 
of the records that will be used in such matching programs; and
    (11) That the Comptroller General may have access to all records of 
a recipient agency or non-Federal agency that the Comptroller General 
deems necessary in order to monitor or verify compliance with the 
agreement.
    (b) Agreement specifications. A copy of each agreement entered into 
pursuant to paragraph (a) of this section shall be transmitted to OMB, 
the Committee on Governmental Affairs of the Senate and the Committee 
on Governmental Operations of the House of Representatives and be 
available upon request to the public.
    (1) No such agreement shall be effective until 30 days after the 
date on which a copy is transmitted.
    (2) Such an agreement shall remain in effect only for such period, 
not to exceed 18 months, as the Data Integrity Board determines is 
appropriate in light of the purposes, and length of time necessary for 
the conduct, of the matching program.
    (3) Within three (3) months prior to the expiration of such an 
agreement, the Data Integrity Board may without additional review, 
renew the matching agreement for a current, ongoing matching program 
for not more than one additional year if:
    (i) Such program will be conducted without any change; and
    (ii) Each party to the agreement certifies to the Board in writing 
that the program has been conducted in compliance with the agreement.
    (c) Verification. In order to protect any individual whose records 
are used in matching programs, SBA and any recipient agency or non-
Federal agency may not suspend, terminate, reduce, or make a final 
denial of any financial assistance or payment under the Federal benefit 
program to such individual, or take other adverse action against such 
individual as a result of information produced by such matching 
programs until such information has been independently verified.
    (1) Independent verification requires independent investigation and 
confirmation of any information used as a basis for an adverse action 
against an individual including, where applicable:
    (i) The amount of the asset or income involved,
    (ii) Whether such individual actually has or had access to such 
asset or income or such individual's own use, and
    (iii) The period or periods when the individual actually had such 
asset or income.
    (2) SBA and any recipient agency or non-Federal agency may not 
suspend, terminate, reduce, or make a final denial of any financial 
assistance or payment under a Federal benefit program, or take other 
adverse action as a result of information produced by a matching 
program,
    (i) Unless such individual has received notice from such agency 
containing a statement of its findings and information of the 
opportunity to contest such findings, and
    (ii) Until the subsequent expiration of any notice period provided 
by the program's governing statute or regulations, or 30 days. Such 
opportunity to contest may be satisfied by notice, hearing, and appeal 
rights governing such Federal benefit program. The exercise of any such 
rights shall not affect rights available under the Privacy Act.
    (3) SBA may take any appropriate action otherwise prohibited by the 
above if SBA determines that the public health or safety may be 
adversely affected or significantly threatened during the notice period 
required by paragraph (c)(2)(ii) of this section.
    (d) Sanctions. Notwithstanding any other provision of law, SBA may 
not disclose any record which is contained in a system of records to a 
recipient agency or non-Federal agency for a matching program if SBA 
has reason to believe that the requirements of paragraph (c) of this 
section, or any matching agreement entered into pursuant to paragraph 
(b) of this section or both, are not being met by such recipient 
agency.
    (1) SBA shall not renew a matching agreement unless,
    (i) The recipient agency or non-Federal agency has certified that 
it has complied with the provisions of that agreement; and
    (ii) SBA has no reason to believe that the certification is 
inaccurate.
    (e) Review annually each ongoing matching program in which the 
Agency has participated during the year, either as a source or as a 
matching agency in order to assure that the requirements of the Privacy 
Act, OMB guidance, and any Agency regulations and standard operating 
procedures, operating instructions, or guidelines have been met.
    (f) Data Integrity Board. SBA shall establish a Data Integrity 
Board (Board) to oversee and coordinate the implementation of the 
matching program. The Board shall consist of the senior officials 
designated by the Administrator, to include the Inspector General (who 
shall not serve as chairman), and the Senior Agency Official for 
Privacy. The Board shall:
    (1) Review, approve and maintain all written agreements for receipt 
or disclosure of Agency records for matching programs to ensure 
compliance with paragraph (a) of this section and with all relevant 
statutes, regulations, and guidance;
    (2) Review all matching programs in which SBA has participated 
during the year, determine compliance with applicable laws, 
regulations, guidelines, and Agency agreements, and assess the costs 
and benefits of such programs;
    (3) Review all recurring matching programs in which SBA has 
participated

[[Page 17376]]

during the year, for continued justification for such disclosures;
    (4) At the instruction of OMB, compile a report to be submitted to 
the Administrator and OMB, and made available to the public on request, 
describing the matching activities of SBA, including,
    (i) Matching programs in which SBA has participated;
    (ii) Matching agreements proposed that were disapproved by the 
Board;
    (iii) Any changes in membership or structure of the Board in the 
preceding year;
    (iv) The reasons for any waiver of the requirement described below 
for completion and submission of a cost-benefit analysis prior to the 
approval of a matching program;
    (v) Any violations of matching agreements that have been alleged or 
identified and any corrective action taken; and
    (vi) Any other information required by OMB to be included in such 
report;
    (5) Serve as clearinghouse for receiving and providing information 
on the accuracy, completeness, and reliability of records used in 
matching programs;
    (6) Provide interpretation and guidance to SBA offices and 
personnel on the requirements for matching programs;
    (7) Review Agency recordkeeping and disposal policies and practices 
for matching programs to assure compliance with the Privacy Act; and
    (8) May review and report on any SBA matching activities that are 
not matching programs.
    (g) Cost-benefit analysis. Except as provided in paragraphs (e)(2) 
and (3) of this section, the Data Integrity Board shall not approve any 
written agreement for a matching program unless SBA has completed and 
submitted to such Board a cost-benefit analysis of the proposed program 
and such analysis demonstrates that the program is likely to be cost 
effective. The Board may waive these requirements if it determines, in 
writing, and in accordance with OMB guidelines, that a cost-benefit 
analysis is not required. Such an analysis also shall not be required 
prior to the initial approval of a written agreement for a matching 
program that is specifically required by statute.
    (h) Disapproval of matching agreements. If a matching agreement is 
disapproved by the Data Integrity Board, any party to such agreement 
may appeal to OMB. Timely notice of the filing of such an appeal shall 
be provided by OMB to the Committee on Governmental Affairs of the 
Senate and the Committee on Government Operations of the House of 
Representatives.
    (1) OMB may approve a matching agreement despite the disapproval of 
the Data Integrity Board if OMB determines that:
    (i) The matching program will be consistent with all applicable 
legal, regulatory, and policy requirements;
    (ii) There is adequate evidence that the matching agreement will be 
cost-effective; and
    (iii) The matching program is in the public interest.
    (2) The decision of OMB to approve a matching agreement shall not 
take effect until 30 days after it is reported to the committees 
described in paragraph (h) of this section.
    (3) If the Data Integrity Board and the OMB disapprove a matching 
program proposed by the Inspector General, the Inspector General may 
report the disapproval to the Administrator and to the Congress.


Sec.  102.41  Other provisions.

    (a) Personnel Records. All SBA personnel records and files, as 
prescribed by OPM, shall be maintained in such a way that the privacy 
of all individuals concerned is protected in accordance with 
regulations of OPM (5 CFR parts 293 and 297).
    (b) Mailing Lists. The SBA will not sell or rent an individual's 
name or address. This provision shall not be construed to require the 
withholding of names or addresses otherwise permitted to be made 
public.
    (c) Changes in Systems. The SBA shall provide adequate advance 
notice to Congress and OMB of any proposal to establish or alter any 
system of records in order to permit an evaluation of the probable or 
potential effect of such proposal on the privacy and other personal or 
property rights of individuals or the disclosure of information 
relating to such individuals, and its effect on the preservation of the 
constitutional principles of federalism and separation of powers.
    (d) Medical Records. Medical records shall be disclosed to the 
individual to whom they pertain. SBA may, however, transmit such 
information to a medical doctor named by the requesting individual. In 
regard to medical records in personnel files, see also 5 CFR 297.205.

Steven C. Preston,
Administrator.
[FR Doc. 07-1651 Filed 4-6-07; 8:45 am]
BILLING CODE 8025-01-P