[Federal Register Volume 74, Number 223 (Friday, November 20, 2009)]
[Rules and Regulations]
[Pages 60127-60130]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-27878]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 Prices of new books are listed in the first FEDERAL REGISTER issue of each 
 week.
 
 ========================================================================
 

  Federal Register / Vol. 74, No. 223 / Friday, November 20, 2009 / 
Rules and Regulations  

[[Page 60127]]



RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD

4 CFR Part 200

RIN 0430-AA00


Implementation of Privacy Act of 1974

AGENCY: Recovery Accountability and Transparency Board.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This document institutes the Recovery Accountability and 
Transparency Board's (Board) final rule implementing a set of 
procedural regulations under the Privacy Act of 1974 (Privacy Act or 
the Act), Public Law 93-579, 5 U.S.C. 552a. These regulations have been 
written to conform to the statutory provisions of the Act. They are 
intended to expedite the processing of Privacy Act requests received by 
the Board and to ensure the proper dissemination of information to the 
public.

DATES: Effective November 20, 2009.

FOR FURTHER INFORMATION CONTACT: Jennifer Dure, General Counsel, (202) 
254-7900.

SUPPLEMENTARY INFORMATION: The proposed rule was published in the 
Federal Register on August 3, 2009 (74 FR 38363) for a public comment 
period to end on October 2, 2009. This rule sets forth the procedures 
to be used by members of the public when requesting records from the 
Board under the Privacy Act. It also establishes a timeframe for 
responses, a fee schedule for copying records, and charges for 
obtaining information, when applicable.

Public Comment

    The Board received one comment on the proposed rule requesting an 
explanation concerning the differences between the proposed Privacy Act 
and Freedom of Information Act (FOIA) rules regarding what is 
procedurally required in order for an individual to request access to 
records, in the custody of the Board. A discussion of the comment and 
the Board's response are set forth below.

Comments on the Proposed Rule and Explanation

    Under the Board's proposed Privacy Act rules, all requests should 
include, among other things, the requesters full name, address, and 
telephone number. Requests for Privacy Act records may be made in 
writing, by fax, by telephone, or in person. The commenter contends 
that there are additional and more stringent requirements placed on a 
requester who requests access to his or her records in person. More 
specifically, such a requester must contact the Board's office at least 
one week before the desired appointment date. In addition, before a 
requester can review his or her records, the requester must provide 
proof of identification. Identification should be a valid copy of one 
of the following: A government ID, a driver's license, a passport, or 
other current identification that contains both an address and a 
picture of the requester.
    According to the commenter, the process for requesting records 
under the Board's proposed FOIA rules ``seem[s] quite simplified.'' 
Under the proposed FOIA rules (74 FR 38366), all requests for records 
must include the requester's full name, address, and telephone number. 
Such a request can be made in writing, via e-mail, or via fax. The 
commenter correctly points out that the proposed FOIA rule does not 
provide the option of an in-person request. The commenter concluded 
that the differences in treatment of requesters for access to the 
Board's Privacy Act records seem unnecessary, especially with respect 
to the identification information required of a requester seeking 
information in person.
    The commenter correctly points out the difference between the 
proposed Privacy Act and FOIA rules, but there is a reason for the 
difference between them which stems from the laws at issue. Briefly, a 
Privacy Act request is a request from an individual seeking to review 
and/or make corrections to federal records, maintained and retrieved in 
an approved system of records, which are about that individual--with 
very limited exceptions, no one else can ask for these records. A FOIA 
request is a request from the general public for copies of specific 
records maintained by a federal agency--any member of the public can 
make such a request. When individuals request information about 
themselves contained in an approved Privacy Act system of records, the 
request should be handled under the Privacy Act. Requested records 
about an individual not contained in an approved system of records 
asked for under the Privacy Act will have their request processed under 
the FOIA, since no access rights exist under the Privacy Act.
    Because the nature of a Privacy Act request is narrow and specific 
to an individual in an approved system of records, the Board feels that 
providing the additional provisions to request and examine records in 
person is reasonable. In addition, in order to ensure that individuals 
who request to examine records in person are who they claim to be, it 
is necessary to require that individuals provide the proper proof of 
identification as set forth in the proposed Privacy Act rules. This 
Privacy Act requirement is designed to protect requesters from having 
their personal information disclosed to anyone else.

Executive Order 12866

    The proposed regulation does not meet the criteria for a 
significant regulatory action under Executive Order 12866. Therefore, 
review by the Office of Management and Budget is not required.

Regulatory Flexibility Act

    The proposed rule adds Privacy Act regulations to 4 CFR Part 200 
and will not have a significant economic impact on a substantial number 
of small entities.

Paperwork Reduction Act

    The rule imposes no additional recording and recordkeeping 
requirements and is therefore exempt from the requirements of the 
Paperwork Reduction Act.

List of Subjects in 4 CFR Part 200

    Administrative practice and procedure, Privacy, Reporting and 
recordkeeping requirements.


0
Therefore, the Board amends Title 4 of the Code of Federal Regulations 
by adding Part 200 to read as follows:

[[Page 60128]]

CHAPTER II--RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD

PART 200--PRIVACY ACT OF 1974

200.1 Purpose and scope.
200.2 Definitions.
200.3 Privacy Act records maintained by the Board.
200.4 Privacy Act inquiries.
200.5 Requests for access to records.
200.6 Processing of requests.
200.7 Fees.
200.8 Appealing denials of access.
200.9 Requests for correction of records.
200.10 Disclosure of records to third parties.
200.11 Maintaining records of disclosures.
200.12 Notification of systems of Privacy Act records.
200.13 Privacy Act training.
200.14 Responsibility for maintaining adequate safeguards.
200.15 Systems of records covered by exemptions.
200.16 Mailing lists.

    Authority:  5 U.S.C. 552a(f).


Sec.  200.1  Purpose and scope.

    This part sets forth the policies and procedures of the Board 
regarding access to systems of records maintained by the Board under 
the Privacy Act, Public Law 93-579, 5 U.S.C. 552a. The provisions in 
the Act shall take precedence over any part of the Board's regulations 
in conflict with the Act. These regulations establish procedures by 
which an individual may exercise the rights granted by the Privacy Act 
to determine whether a Board system of records contains a record 
pertaining to him or her; to gain access to such records; and to 
request correction or amendment of such records. These regulations also 
set identification requirements and prescribe fees to be charged for 
copying records.


Sec.  200.2  Definitions.

    As used in this part:
    (a) Agency means any executive department, military department, 
government corporation, or other establishment in the executive branch 
of the federal government, including the Executive Office of the 
President or any independent regulatory agency;
    (b) Individual means any citizen of the United States or an alien 
lawfully admitted for permanent residence;
    (c) Maintain means to collect, use, store, or disseminate records 
as well as any combination of these recordkeeping functions. The term 
also includes exercise of control over, and therefore responsibility 
and accountability for, systems of records;
    (d) Record means any item, collection, or grouping of information 
about an individual that is maintained by the Board and contains the 
individual's name or other identifying information, such as a number or 
symbol assigned to the individual or his or her fingerprint, voice 
print, or photograph. The term includes, but is not limited to, 
information regarding an individual's education, financial 
transactions, medical history, and criminal or employment history;
    (e) System of records means a group of records under the control of 
the Board from which information is retrievable by use of the name of 
the individual or by some number, symbol, or other identifying 
particular assigned to the individual;
    (f) Routine use means, with respect to the disclosure of a record, 
the use of a record for a purpose that is compatible with the purpose 
for which it was collected;
    (g) Designated Privacy Act Officer means the person named by the 
Board to administer the Board's activities in regard to the regulations 
in this part;
    (h) Executive Director means the chief operating officer of the 
Board;
    (i) Days means standard working days, excluding weekends and 
federal holidays.


Sec.  200.3  Privacy Act records maintained by the Board.

    (a) The Board shall maintain only such information about an 
individual as is relevant and necessary to accomplish a purpose of the 
agency required by statute or by Executive Order of the President. In 
addition, the Board shall maintain all records that are used in making 
determinations about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to that individual in the making of any determination about 
him or her. However, the Board shall not be required to update retired 
records.
    (b) The Board shall not maintain any record about any individual 
with respect to or describing how such individual exercises rights 
guaranteed by the First Amendment of the Constitution of the United 
States, unless expressly authorized by statute or by the subject 
individual, or unless pertinent to and within the scope of an 
authorized law enforcement activity.


Sec.  200.4  Privacy Act inquiries.

    (a) Inquiries regarding the contents of record systems. Any person 
wanting to know whether the Board's systems of records contain a record 
pertaining to him or her may file an inquiry in person, by mail or by 
telephone.
    (b) Inquiries in person may be submitted at the Board's 
headquarters located at 1717 Pennsylvania Avenue, NW., Suite 700, 
Washington, DC 20006. Inquiries should be marked ``Privacy Act 
Inquiry'' on each page of the inquiry and on the front of the envelope 
and directed to the Privacy Act Officer.
    (c) Inquiries by mail may be sent to: Privacy Act Officer, Recovery 
Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., 
Suite 700, Washington, DC 20006. ``Privacy Act Inquiry'' should be 
written on the envelope and each page of the inquiry.
    (d) Telephone inquiries may be made by calling the Board's Privacy 
Act Officer at (202) 254-7900.


Sec.  200.5  Requests for access to records.

    (a) All requests for records should include the following 
information:
    (1) Full name, address, and telephone number of requester.
    (2) The system of records containing the desired information.
    (3) Any other information that the requester believes would help 
locate the record.
    (b) Requests in writing. A person may request access to his or her 
own records in writing by addressing a letter to: Privacy Act Officer, 
Recovery Accountability and Transparency Board, 1717 Pennsylvania 
Avenue, NW., Suite 700, Washington, DC 20006.
    (c) Requests by fax. A person may request access to his or her 
records by facsimile at (202) 254-7970.
    (d) Requests by phone. A person may request access to his or her 
records by calling the Privacy Act Officer at (202) 254-7900.
    (e) Requests in person. Any person may examine and request copies 
of his or her own records on the Board's premises. The requester should 
contact the Board's office at least one week before the desired 
appointment date. This request may be made to the Privacy Act Officer 
in writing or by calling (202) 254-7900. Before viewing the records, 
proof of identification must be provided. The identification should be 
a valid copy of one of the following:
    (1) A government ID;
    (2) A driver's license;
    (3) A passport; or
    (4) Other current identification that contains both an address and 
a picture of the requester.


Sec.  200.6  Processing of requests.

    Upon receipt of a request for information, the Privacy Act Officer 
will ascertain whether the records identified by the requester exist, 
and whether they are subject to any exemption under Sec.  200.15. If 
the records exist and are not subject to exemption, the Privacy Act 
Officer will provide the information.

[[Page 60129]]

    (a) Requests in writing, including those sent by fax. Within five 
working days of receiving the request, the Privacy Act Officer will 
acknowledge its receipt and will advise the requester of any additional 
information that may be needed. Within 15 working days of receiving the 
request, the Privacy Act Officer will send the requested information or 
will explain to the requester why additional time is needed for a 
response.
    (b) Requests in person or by telephone. Within 15 days of the 
initial request, the Privacy Act Officer will contact the requester and 
arrange an appointment at a mutually agreeable time when the record can 
be examined. The requester may be accompanied by no more than one 
person. In such case, the requestor must inform the Privacy Act Officer 
that a second individual will be present and must sign a statement 
authorizing disclosure of the records to that person. The statement 
will be kept with the requester's records. At the appointment, the 
requester will be asked to present identification as stated in Sec.  
200.5(e).
    (c) Excluded information. If a request is received for information 
compiled in reasonable anticipation of litigation, the Privacy Act 
Officer will inform the requester that the information is not subject 
to release under the Privacy Act (see 5 U.S.C. 552a(d)(5)).


Sec.  200.7  Fees.

    A fee will not be charged for searching, reviewing, or making 
corrections to records. A fee for copying will be assessed at the same 
rate established for the Freedom of Information Act requests. 
Duplication fees for paper copies of a record will be 10 cents per page 
for black and white and 20 cents per page for color. For all other 
forms of duplication, the Board will charge the direct costs of 
producing the copy. However, the first 100 pages of black-and-white 
copying or its equivalent will be free of charge.


Sec.  200.8  Appealing denials of access.

    (a) If access to records is denied by the Privacy Act Officer, the 
requester may file an appeal in writing. The appeal should be directed 
to Executive Director, Recovery Accountability and Transparency Board, 
1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006.
    (b) The appeal letter must specify the denied records that are 
still sought, and state why denial by the Privacy Act Officer is 
erroneous.
    (c) The Executive Director or his or her designee will respond to 
appeals within 20 working days of the receipt of the appeal letter. The 
appeal determination will explain the basis of the decision to deny or 
grant the appeal.


Sec.  200.9  Requests for correction of records.

    (a) Correction requests. Any person is entitled to request 
correction of his or her record(s) covered under the Act. The request 
must be made in writing and should be addressed to Privacy Act Officer, 
Recovery Accountability and Transparency Board, 1717 Pennsylvania 
Avenue, NW., Suite 700, Washington, DC 20006. The letter should clearly 
identify the corrections desired. In most circumstances, an edited copy 
of the record will be acceptable for this purpose.
    (b) Initial response. Receipt of a correction request will be 
acknowledged by the Privacy Act Officer in writing within five working 
days. The Privacy Act Officer will provide a letter to the requester 
within 20 working days stating whether the request for correction has 
been granted or denied. If the Privacy Act Officer denies any part of 
the correction request, the reasons for the denial will be provided to 
the requester.


Sec.  200.10  Disclosure of records to third parties.

    (a) The Board will not disclose any record that is contained in a 
system of records to any person or agency, except with a written 
request by or with the prior written consent of the individual whose 
record is requested, unless disclosure of the record is:
    (1) Required by an employee or agent of the Board in the 
performance of his/her official duties.
    (2) Required under the provisions of the Freedom of Information Act 
(5 U.S.C. 552). Records required to be made available by the Freedom of 
Information Act will be released in response to a request in accordance 
with the Board's regulation published at 4 CFR Part 201.
    (3) For a routine use as published in the annual notice in the 
Federal Register.
    (4) To the Census Bureau for planning or carrying out a census, 
survey, or related activities pursuant to the provisions of Title 13 of 
the United States Code.
    (5) To a recipient who has provided the Board with adequate advance 
written assurance that the record will be used solely as a statistical 
research or reporting record and that the record is to be transferred 
in a form that is not individually identifiable.
    (6) To the National Archives and Records Administration as a record 
that has sufficient historical or other value to warrant its continued 
preservation by the United States government, or for evaluation by the 
Archivist of the United States, or his or her designee, to determine 
whether the record has such value.
    (7) To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity, if the activity is 
authorized by law, and if the head of the agency or instrumentality has 
made a written request to the Board for such records specifying the 
particular part desired and the law enforcement activity for which the 
record is sought. The Board also may disclose such a record to a law 
enforcement agency on its own initiative in situations in which 
criminal conduct is suspected, provided that such disclosure has been 
established as a routine use, or in situations in which the misconduct 
is directly related to the purpose for which the record is maintained.
    (8) To a person pursuant to a showing of compelling circumstances 
affecting the health or safety of an individual if, upon such 
disclosure, notification is transmitted to the last known address of 
such individual.
    (9) To either House of Congress, or, to the extent of matters 
within its jurisdiction, any committee or subcommittee thereof, any 
joint committee of Congress or subcommittee of any such joint 
committee.
    (10) To the Comptroller General, or any of his or her authorized 
representatives, in the course of the performance of official duties of 
the Government Accountability Office.
    (11) Pursuant to an order of a court of competent jurisdiction. In 
the event that any record is disclosed under such compulsory legal 
process, the Board shall make reasonable efforts to notify the subject 
individual after the process becomes a matter of public record.
    (12) To a consumer reporting agency in accordance with 31 U.S.C. 
3711(e).
    (b) Before disseminating any record about any individual to any 
person other than a Board employee, the Board shall make reasonable 
efforts to ensure that the records are, or at the time they were 
collected, accurate, complete, timely, and relevant. This paragraph (b) 
does not apply to disseminations made pursuant to the provisions of the 
Freedom of Information Act (5 U.S.C. 552) and paragraph (a)(2) of this 
section.


Sec.  200.11  Maintaining records of disclosure.

    (a) The Board shall maintain a log containing the date, nature, and

[[Page 60130]]

purposes of each disclosure of a record to any person or agency. Such 
accounting also shall contain the name and address of the person or 
agency to whom or to which each disclosure was made. This log will not 
include disclosures made to Board employees or agents in the course of 
their official duties or pursuant to the provisions of the Freedom of 
Information Act (5 U.S.C. 552).
    (b) An accounting of each disclosure shall be retained for at least 
five years after the accounting is made or for the life of the record 
that was disclosed, whichever is longer.
    (c) The Board shall make the accounting of disclosure of a record 
pertaining to an individual available to that individual at his or her 
request. Such a request should be made in accordance with the 
procedures set forth in Sec.  200.5. This paragraph (c) does not apply 
to disclosure made for law enforcement purposes under 5 U.S.C. 
552a(b)(7) and Sec.  200.10(a)(7).


Sec.  200.12  Notification of systems of Privacy Act records.

    (a) Public Notice. The Board periodically reviews its systems of 
records and will publish information about any significant additions or 
changes to those systems in the Federal Register. Information about 
systems of records maintained by other agencies that are in the 
temporary custody of the Board will not be published. In addition, the 
Office of the Federal Register biennially compiles and publishes all 
systems of records maintained by all federal agencies, including the 
Board.
    (b) At least 30 days before publishing additions or changes to the 
Board's systems of records, the Board will publish a notice of intent 
to amend, providing the public with an opportunity to comment on the 
proposed amendments to its systems of records in the Federal Register.


Sec.  200.13  Privacy Act training.

    (a) The Board shall ensure that all persons involved in the design, 
development, operation, or maintenance of any Board systems of records 
are informed of all requirements necessary to protect the privacy of 
individuals. The Board shall ensure that all employees having access to 
records receive adequate training in their protection and that records 
have adequate and proper storage with sufficient security to ensure 
their privacy.
    (b) All employees shall be informed of the civil remedies provided 
under 5 U.S.C. 552a(g)(1) and other implications of the Privacy Act and 
of the fact that the Board may be subject to civil remedies for failure 
to comply with the provisions of the Privacy Act and the regulations in 
this part.


Sec.  200.14  Responsibility for maintaining adequate safeguards.

    The Board has the responsibility for maintaining adequate 
technical, physical, and security safeguards to prevent unauthorized 
disclosure or destruction of manual and automated records systems. 
These security safeguards shall apply to all systems of records in 
which identifiable personal data are processed or maintained, including 
all reports and output from such systems of records that contain 
identifiable personal information. Such safeguards must be sufficient 
to prevent negligent, accidental, or unintentional disclosure, 
modification, or destruction of any personal records or data; must 
minimize, to the extent practicable, the risk that skilled technicians 
or knowledgeable persons could improperly obtain access to modify or 
destroy such records or data; and shall further ensure against such 
casual entry by unskilled persons without official reasons for access 
to such records or data.
    (a) Manual systems. (1) Records contained in a system of records as 
defined in this part may be used, held, or stored only where facilities 
are adequate to prevent unauthorized access by persons within or 
outside the Board.
    (2) Access to and use of a system of records shall be permitted 
only to persons whose duties require such access to the information for 
routine uses or for such other uses as may be provided in this part.
    (3) Other than for access by employees or agents of the Board, 
access to records within a system of records shall be permitted only to 
the individual to whom the record pertains or upon his or her written 
request.
    (4) The Board shall ensure that all persons whose duties require 
access to and use of records contained in a system of records are 
adequately trained to protect the security and privacy of such records.
    (5) The disposal and destruction of identifiable personal data 
records shall be done by shredding and in accordance with rules 
promulgated by the Archivist of the United States.
    (b) Automated systems. (1) Identifiable personal information may be 
processed, stored, or maintained by automated data systems only where 
facilities or conditions are adequate to prevent unauthorized access to 
such systems in any form.
    (2) Access to and use of identifiable personal data associated with 
automated data systems shall be limited to those persons whose duties 
require such access. Proper control of personal data in any form 
associated with automated data systems shall be maintained at all 
times, including maintenance of accountability records showing 
disposition of input and output documents.
    (3) All persons whose duties require access to processing and 
maintenance of identifiable personal data and automated systems shall 
be adequately trained in the security and privacy of personal data.
    (4) The disposal and disposition of identifiable personal data and 
automated systems shall be done by shredding, burning, or, in the case 
of electronic records, by degaussing or by overwriting with the 
appropriate security software, in accordance with regulations of the 
Archivist of the United States or other appropriate authority.


Sec.  200.15  Systems of records covered by exemptions.

    The Board currently has no exempt systems of records.


Sec.  200.16  Mailing lists.

    The Board shall not sell or rent an individual's name and/or 
address unless such action is specifically authorized by law. This 
section shall not be construed to require the withholding of names and 
addresses otherwise permitted to be made public.

Ivan J. Flores,
Paralegal Specialist, Recovery Accountability and Transparency Board.
[FR Doc. E9-27878 Filed 11-19-09; 8:45 am]
BILLING CODE 6820-GA-P