[Federal Register Volume 74, Number 147 (Monday, August 3, 2009)]
[Proposed Rules]
[Pages 38363-38366]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-18352]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 74, No. 147 / Monday, August 3, 2009 / 
Proposed Rules  

[[Page 38363]]


=======================================================================
-----------------------------------------------------------------------

RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD

4 CFR Part 200

RIN 0430-AA00


Implementation of Privacy Act of 1974

AGENCY: Recovery Accountability and Transparency Board.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Recovery Accountability and Transparency Board (Board) is 
proposing to implement a set of procedural regulations under the 
Privacy Act of 1974 (Privacy Act or the Act), Public Law 93-579, 5 
U.S.C. 552a. The proposed regulations have been written to conform to 
the statutory provisions of the Act. They are intended to expedite the 
processing of Privacy Act requests received by the Board and to ensure 
the proper dissemination of information to the public.

DATES: Comments on the proposed rule should be submitted no later than 
October 2, 2009.

ADDRESSES: Comments on this proposed rule may be submitted:
    By Mail or Hand Delivery: Office of General Counsel, Recovery 
Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., 
Suite 700, Washington, DC 20006;
    By Fax: (202) 254-7970; or
    By E-mail to the Board: [email protected].
    All comments on this proposed Privacy Act rule should be clearly 
identified as such.

FOR FURTHER INFORMATION CONTACT: Jennifer Dure, General Counsel, (202) 
254-7900.

SUPPLEMENTARY INFORMATION: This proposed rule is intended to set forth 
the procedures to be used by members of the public when requesting 
records from the Board under the Privacy Act. It also establishes a 
timeframe for responses, a fee schedule for copying records, and 
charges for obtaining information, when applicable.
    All written comments received on this document by October 2, 2009, 
will be fully considered before publication of the final rule. Any 
information considered confidential must be so identified and submitted 
in writing. Comments submitted anonymously will not be considered. 
However, name and/or address may be withheld on request.

Executive Order 12866

    The proposed regulation does not meet the criteria for a 
significant regulatory action under Executive Order 12866. Therefore, 
review by the Office of Management and Budget is not required.

Regulatory Flexibility Act

    The proposed rule adds Privacy Act regulations to 4 CFR part 200 
and will not have a significant economic impact on a substantial number 
of small entities.

Paperwork Reduction Act

    The rule imposes no additional recording and recordkeeping 
requirements and is therefore exempt from the requirements of the 
Paperwork Reduction Act.

List of Subjects in 4 CFR Part 200

    Administrative practice and procedure, Privacy, Reporting and 
recordkeeping requirements.

    Under the authority at Public Law 111-5, 123 Stat. 115 (2009), the 
Board proposes to amend Title 4 of the Code of Federal Regulations by 
establishing a new Chapter II, consisting of Part 200 to read as 
follows:

CHAPTER II--RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD

PART 200--PRIVACY ACT OF 1974

Sec.
200.1 Purpose and scope.
200.2 Definitions.
200.3 Privacy Act records maintained by the Board.
200.4 Privacy Act inquiries.
200.5 Requests for access to records.
200.6 Processing of requests.
200.7 Fees.
200.8 Appealing denials of access.
200.9 Requests for correction of records.
200.10 Disclosure of records to third parties.
200.11 Maintaining records of disclosures.
200.12 Notification of systems of Privacy Act records.
200.13 Privacy Act training.
200.14 Responsibility for maintaining adequate safeguards.
200.15 Systems of records covered by exemptions.
200.16 Mailing lists.

    Authority: 5 U.S.C. 552a(f).


Sec.  200.1  Purpose and scope.

    This part sets forth the policies and procedures of the Board 
regarding access to systems of records maintained by the Board under 
the Privacy Act, Public Law 93-579, 5 U.S.C. 552a. The provisions in 
the Act shall take precedence over any part of the Board's regulations 
in conflict with the Act. These regulations establish procedures by 
which an individual may exercise the rights granted by the Privacy Act 
to determine whether a Board system of records contains a record 
pertaining to him or her; to gain access to such records; and to 
request correction or amendment of such records. These regulations also 
set identification requirements and prescribe fees to be charged for 
copying records.


Sec.  200.2  Definitions.

    As used in this part:
    (a) Agency means any executive department, military department, 
government corporation, or other establishment in the executive branch 
of the federal government, including the Executive Office of the 
President or any independent regulatory agency;
    (b) Individual means any citizen of the United States or an alien 
lawfully admitted for permanent residence;
    (c) Maintain means to collect, use, store, or disseminate records 
as well as any combination of these recordkeeping functions. The term 
also includes exercise of control over, and therefore responsibility 
and accountability for, systems of records;
    (d) Record means any item, collection, or grouping of information 
about an individual that is maintained by the Board and contains the 
individual's name or other identifying information, such as a number or 
symbol assigned to the individual or his or her fingerprint, voice 
print, or photograph. The term includes, but is not limited to, 
information regarding an individual's education, financial 
transactions, medical history, and criminal or employment history;
    (e) System of records means a group of records under the control of 
the Board from which information is

[[Page 38364]]

retrievable by use of the name of the individual or by some number, 
symbol, or other identifying particular assigned to the individual;
    (f) Routine use means, with respect to the disclosure of a record, 
the use of a record for a purpose that is compatible with the purpose 
for which it was collected;
    (g) Designated Privacy Act Officer means the person named by the 
Board to administer the Board's activities in regard to the regulations 
in this part;
    (h) Executive Director means the chief operating officer of the 
Board;
    (i) Days means standard working days, excluding weekends and 
Federal holidays.


Sec.  200.3  Privacy Act records maintained by the Board.

    (a) The Board shall maintain only such information about an 
individual as is relevant and necessary to accomplish a purpose of the 
agency required by statute or by Executive Order of the President. In 
addition, the Board shall maintain all records that are used in making 
determinations about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to that individual in the making of any determination about 
him or her. However, the Board shall not be required to update retired 
records.
    (b) The Board shall not maintain any record about any individual 
with respect to or describing how such individual exercises rights 
guaranteed by the First Amendment of the Constitution of the United 
States, unless expressly authorized by statute or by the subject 
individual, or unless pertinent to and within the scope of an 
authorized law enforcement activity.


Sec.  200.4  Privacy Act inquiries.

    (a) Inquiries regarding the contents of record systems. Any person 
wanting to know whether the Board's systems of records contain a record 
pertaining to him or her may file an inquiry in person, by mail or by 
telephone.
    (b) Inquiries in person may be submitted at the Board's 
headquarters located at 1717 Pennsylvania Avenue, NW., Suite 700, 
Washington, DC 20006. Inquiries should be marked ``Privacy Act 
Inquiry'' on each page of the inquiry and on the front of the envelope 
and directed to the Privacy Act Officer.
    (c) Inquiries by mail may be sent to: Privacy Act Officer, Recovery 
Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., 
Suite 700, Washington, DC 20006. ``Privacy Act Inquiry'' should be 
written on the envelope and each page of the inquiry.
    (d) Telephone inquiries may be made by calling the Board's Privacy 
Act Officer at (202) 254-7900.


Sec.  200.5  Requests for access to records.

    (a) All requests for records should include the following 
information:
    (1) Full name, address, and telephone number of requester.
    (2) The system of records containing the desired information.
    (3) Any other information that the requester believes would help 
locate the record.
    (b) Requests in writing. A person may request access to his or her 
own records in writing by addressing a letter to: Privacy Act Officer, 
Recovery Accountability and Transparency Board, 1717 Pennsylvania 
Avenue, NW., Suite 700, Washington, DC 20006.
    (c) Requests by fax. A person may request access to his or her 
records by facsimile at (202) 254-7970.
    (d) Requests by phone. A person may request access to his or her 
records by calling the Privacy Act Officer at (202) 254-7900.
    (e) Requests in person. Any person may examine and request copies 
of his or her own records on the Board's premises. The requester should 
contact the Board's office at least one week before the desired 
appointment date. This request may be made to the Privacy Act Officer 
in writing or by calling (202) 254-7900. Before viewing the records, 
proof of identification must be provided. The identification should be 
a valid copy of one of the following:
     A government ID;
     A driver's license;
     A passport; or
     Other current identification that contains both an address 
and a picture of the requester.


Sec.  200.6  Processing of requests.

    Upon receipt of a request for information, the Privacy Act Officer 
will ascertain whether the records identified by the requester exist, 
and whether they are subject to any exemption under Sec.  200.15 below.
    If the records exist and are not subject to exemption, the Privacy 
Act Officer will provide the information.
    (a) Requests in writing, including those sent by fax. Within five 
working days of receiving the request, the Privacy Act Officer will 
acknowledge its receipt and will advise the requester of any additional 
information that may be needed. Within 15 working days of receiving the 
request, the Privacy Act Officer will send the requested information or 
will explain to the requester why additional time is needed for a 
response.
    (b) Requests in person or by telephone. Within 15 days of the 
initial request, the Privacy Act Officer will contact the requester and 
arrange an appointment at a mutually agreeable time when the record can 
be examined. The requester may be accompanied by no more than one 
person. In such case, the requestor must inform the Privacy Act Officer 
that a second individual will be present and must sign a statement 
authorizing disclosure of the records to that person. The statement 
will be kept with the requester's records. At the appointment, the 
requester will be asked to present identification as stated in Sec.  
200.5(e).
    (c) Excluded information. If a request is received for information 
compiled in reasonable anticipation of litigation, the Privacy Act 
Officer will inform the requester that the information is not subject 
to release under the Privacy Act (see 5 U.S.C. 552a(d)(5)).


Sec.  200.7  Fees.

    A fee will not be charged for searching, reviewing, or making 
corrections to records. A fee for copying will be assessed at the same 
rate established for the Freedom of Information Act requests. 
Duplication fees for paper copies of a record will be 10 cents per page 
for black and white and 20 cents per page for color. For all other 
forms of duplication, the Board will charge the direct costs of 
producing the copy. However, the first 100 pages of black-and-white 
copying or its equivalent will be free of charge.


Sec.  200.8  Appealing denials of access.

    If access to records is denied by the Privacy Act Officer, the 
requester may file an appeal in writing. The appeal should be directed 
to Executive Director, Recovery Accountability and Transparency Board, 
1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006.
    The appeal letter must specify the denied records that are still 
sought, and state why denial by the Privacy Act Officer is erroneous.
    The Executive Director or his or her designee will respond to 
appeals within 20 working days of the receipt of the appeal letter. The 
appeal determination will explain the basis of the decision to deny or 
grant the appeal.


Sec.  200.9  Requests for correction of records.

    (a) Correction requests. Any person is entitled to request 
correction of his or her record(s) covered under the Act. The request 
must be made in writing and should be addressed to Privacy Act Officer, 
Recovery Accountability and Transparency Board, 1717 Pennsylvania

[[Page 38365]]

Avenue, NW., Suite 700, Washington, DC 20006. The letter should clearly 
identify the corrections desired. In most circumstances, an edited copy 
of the record will be acceptable for this purpose.
    (b) Initial response. Receipt of a correction request will be 
acknowledged by the Privacy Act Officer in writing within five working 
days. The Privacy Act Officer will provide a letter to the requester 
within 20 working days stating whether the request for correction has 
been granted or denied. If the Privacy Act Officer denies any part of 
the correction request, the reasons for the denial will be provided to 
the requester.


Sec.  200.10  Disclosure of records to third parties.

    (a) The Board will not disclose any record that is contained in a 
system of records to any person or agency, except with a written 
request by or with the prior written consent of the individual whose 
record is requested, unless disclosure of the record is:
    (1) Required by an employee or agent of the Board in the 
performance of his/her official duties.
    (2) Required under the provisions of the Freedom of Information Act 
(5 U.S.C. 552). Records required to be made available by the Freedom of 
Information Act will be released in response to a request in accordance 
with the Board's regulation published at 4 CFR Part 201.
    (3) For a routine use as published in the annual notice in the 
Federal Register.
    (4) To the Census Bureau for planning or carrying out a census, 
survey, or related activities pursuant to the provisions of Title 13 of 
the United States Code.
    (5) To a recipient who has provided the Board with adequate advance 
written assurance that the record will be used solely as a statistical 
research or reporting record and that the record is to be transferred 
in a form that is not individually identifiable.
    (6) To the National Archives and Records Administration as a record 
that has sufficient historical or other value to warrant its continued 
preservation by the United States government, or for evaluation by the 
Archivist of the United States, or his or her designee, to determine 
whether the record has such value.
    (7) To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity, if the activity is 
authorized by law, and if the head of the agency or instrumentality has 
made a written request to the Board for such records specifying the 
particular part desired and the law enforcement activity for which the 
record is sought. The Board also may disclose such a record to a law 
enforcement agency on its own initiative in situations in which 
criminal conduct is suspected, provided that such disclosure has been 
established as a routine use, or in situations in which the misconduct 
is directly related to the purpose for which the record is maintained.
    (8) To a person pursuant to a showing of compelling circumstances 
affecting the health or safety of an individual if, upon such 
disclosure, notification is transmitted to the last known address of 
such individual.
    (9) To either House of Congress, or, to the extent of matters 
within its jurisdiction, any committee or subcommittee thereof, any 
joint committee of Congress or subcommittee of any such joint 
committee.
    (10) To the Comptroller General, or any of his or her authorized 
representatives, in the course of the performance of official duties of 
the Government Accountability Office.
    (11) Pursuant to an order of a court of competent jurisdiction. In 
the event that any record is disclosed under such compulsory legal 
process, the Board shall make reasonable efforts to notify the subject 
individual after the process becomes a matter of public record.
    (12) To a consumer reporting agency in accordance with 31 U.S.C. 
3711(e).
    (b) Before disseminating any record about any individual to any 
person other than a Board employee, the Board shall make reasonable 
efforts to ensure that the records are, or at the time they were 
collected, accurate, complete, timely, and relevant. This paragraph (b) 
does not apply to disseminations made pursuant to the provisions of the 
Freedom of Information Act (5 U.S.C. 552) and paragraph (a)(2) of this 
section.


Sec.  200.11  Maintaining records of disclosure.

    (a) The Board shall maintain a log containing the date, nature, and 
purposes of each disclosure of a record to any person or agency. Such 
accounting also shall contain the name and address of the person or 
agency to whom or to which each disclosure was made. This log will not 
include disclosures made to Board employees or agents in the course of 
their official duties or pursuant to the provisions of the Freedom of 
Information Act (5 U.S.C. 552).
    (b) An accounting of each disclosure shall be retained for at least 
five years after the accounting is made or for the life of the record 
that was disclosed, whichever is longer.
    (c) The Board shall make the accounting of disclosure of a record 
pertaining to an individual available to that individual at his or her 
request. Such a request should be made in accordance with the 
procedures set forth in Sec.  200.5. This paragraph (c) does not apply 
to disclosure made for law enforcement purposes under 5 U.S.C. 
552a(b)(7) and Sec.  200.10(a)(7).


Sec.  200.12  Notification of systems of Privacy Act records.

    (a) Public Notice. The Board periodically reviews its systems of 
records and will publish information about any significant additions or 
changes to those systems in the Federal Register. Information about 
systems of records maintained by other agencies that are in the 
temporary custody of the Board will not be published. In addition, the 
Office of the Federal Register biennially compiles and publishes all 
systems of records maintained by all federal agencies, including the 
Board.
    (b) At least 30 days before publishing additions or changes to the 
Board's systems of records, the Board will publish a notice of intent 
to amend, providing the public with an opportunity to comment on the 
proposed amendments to its systems of records in the Federal Register.


Sec.  200.13  Privacy Act training.

    (a) The Board shall ensure that all persons involved in the design, 
development, operation, or maintenance of any Board systems of records 
are informed of all requirements necessary to protect the privacy of 
individuals. The Board shall ensure that all employees having access to 
records receive adequate training in their protection and that records 
have adequate and proper storage with sufficient security to ensure 
their privacy.
    (b) All employees shall be informed of the civil remedies provided 
under 5 U.S.C. 552a(g)(1) and other implications of the Privacy Act and 
of the fact that the Board may be subject to civil remedies for failure 
to comply with the provisions of the Privacy Act and the regulations in 
this part.


Sec.  200.14  Responsibility for maintaining adequate safeguards.

    The Board has the responsibility for maintaining adequate 
technical, physical, and security safeguards to

[[Page 38366]]

prevent unauthorized disclosure or destruction of manual and automated 
records systems. These security safeguards shall apply to all systems 
of records in which identifiable personal data are processed or 
maintained, including all reports and output from such systems of 
records that contain identifiable personal information. Such safeguards 
must be sufficient to prevent negligent, accidental, or unintentional 
disclosure, modification, or destruction of any personal records or 
data; must minimize, to the extent practicable, the risk that skilled 
technicians or knowledgeable persons could improperly obtain access to 
modify or destroy such records or data; and shall further ensure 
against such casual entry by unskilled persons without official reasons 
for access to such records or data.
    (a) Manual systems. (1) Records contained in a system of records as 
defined in this part may be used, held, or stored only where facilities 
are adequate to prevent unauthorized access by persons within or 
outside the Board.
    (2) Access to and use of a system of records shall be permitted 
only to persons whose duties require such access to the information for 
routine uses or for such other uses as may be provided in this part.
    (3) Other than for access by employees or agents of the Board, 
access to records within a system of records shall be permitted only to 
the individual to whom the record pertains or upon his or her written 
request.
    (4) The Board shall ensure that all persons whose duties require 
access to and use of records contained in a system of records are 
adequately trained to protect the security and privacy of such records.
    (5) The disposal and destruction of identifiable personal data 
records shall be done by shredding and in accordance with rules 
promulgated by the Archivist of the United States.
    (b) Automated systems. (1) Identifiable personal information may be 
processed, stored, or maintained by automated data systems only where 
facilities or conditions are adequate to prevent unauthorized access to 
such systems in any form.
    (2) Access to and use of identifiable personal data associated with 
automated data systems shall be limited to those persons whose duties 
require such access. Proper control of personal data in any form 
associated with automated data systems shall be maintained at all 
times, including maintenance of accountability records showing 
disposition of input and output documents.
    (3) All persons whose duties require access to processing and 
maintenance of identifiable personal data and automated systems shall 
be adequately trained in the security and privacy of personal data.
    (4) The disposal and disposition of identifiable personal data and 
automated systems shall be done by shredding, burning, or, in the case 
of electronic records, by degaussing or by overwriting with the 
appropriate security software, in accordance with regulations of the 
Archivist of the United States or other appropriate authority.


Sec.  200.15  Systems of records covered by exemptions.

    The Board currently has no exempt systems of records.


Sec.  200.16  Mailing lists.

    The Board shall not sell or rent an individual's name and/or 
address unless such action is specifically authorized by law. This 
section shall not be construed to require the withholding of names and 
addresses otherwise permitted to be made public.

Ivan J. Flores,
Paralegal Specialist, Recovery Accountability and Transparency Board.
[FR Doc. E9-18352 Filed 7-31-09; 8:45 am]
BILLING CODE 6820-GA-P