[Federal Register Volume 82, Number 14 (Tuesday, January 24, 2017)]
[Rules and Regulations]
[Pages 8139-8144]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00585]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE INTERIOR
National Indian Gaming Commission
25 CFR Part 515
RIN 3141-AA65
Privacy Act Procedures
AGENCY: National Indian Gaming Commission, Department of the Interior.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The National Indian Gaming Commission (NIGC or the Commission)
is establishing this rule in Chapter III of title 25 of the Code of
Federal Regulations. This rule describes the procedures and policies
adopted by the Commission pursuant to the Privacy Act of 1974. Under
the Act, a Federal agency must publish notice, in the Federal Register,
of any systems of records that it intends to create as well as
procedures regarding the collection, maintenance, use, and
dissemination of the records within those systems. The Commission
previously published notice of the creation of two systems of records,
namely the Indian Gaming Individuals Record System and the Management
Contract Individuals Record System. The regulations set forth here
update the Commission's previously published procedures and serve to
streamline how the Commission processes its Privacy Act requests.
DATES: Effective January 24, 2017.
FOR FURTHER INFORMATION CONTACT: Andrew Mendoza, Staff Attorney, at
(202) 632-7003 or by fax (202) 632-7066 (these numbers are not toll
free).
SUPPLEMENTARY INFORMATION: The Indian Gaming Regulatory Act (IGRA),
[[Page 8140]]
enacted on October 17, 1988, established the National Indian Gaming
Commission. Congress enacted the Privacy Act in 1974 (Public Law 93-
579, 5 U.S.C. 552a). The Commission originally adopted Privacy Act
procedures on January 22, 1993. Since that time, the Commission has
changed the location of its headquarters office, established a new
system of records, and streamlined the way it processes Privacy Act
requests. On February 26, 2015, the Commission announced its intent to
update its Privacy Act procedures through tribal consultation and
accepted comments from the regulated community orally at several
consultation sessions. The Commission also accepted written comments
via the consultation process through February 23, 2016. On August 26,
2016, after reviewing those comments, the Commission published a Notice
of Proposed Rulemaking, which invited additional comments from the
general public. No additional comments were received during that
period.
Although no comments were received during the comment period, the
Commission made two substantive changes to the proposed rule.
Specifically, the Commission is lengthening the time period for appeals
in Section 515.7(b) from 30 working days to 90 calendar days. One of
the major reasons for updating the Commission's Privacy Act regulations
was to align the procedures for processing Privacy Act requests with
the Commission's processes under the Freedom of Information Act (FOIA),
5 U.S.C. 552. On June 30, 2016, President Obama signed the FOIA
Improvements Act of 2016 into law. Among the many changes to the FOIA,
agencies are now required to provide requesters with not less than 90
days to appeal adverse determinations made under that Act. Since the
Commission processes all Privacy Act requests simultaneously under
both, the FOIA and Privacy Act, the Commission decided to lengthen the
amount of time for a requester to appeal an adverse determination under
the Privacy Act to match the timeline established in the FOIA.
Additionally, the Commission corrected an error in Section
515.7(c), which addresses the timeframe in which the Privacy Act
Appeals Officer must respond to an appeal. In the proposed rule, the
Privacy Act Appeals Officer was provided with 30 working days to
respond to an appeal. While this timeframe is within the Commission's
current regulations, it differs from the one set out within the
Commission's FOIA regulations. Under the FOIA, an agency is required to
respond to an appeal of an adverse determination within 20 working days
of its receipt. To streamline the Commission's appeals procedures and
synchronize the time for responses for requests that must be processed
under both statutes, this section should have read 20 working days
rather than 30. The provision is being adjusted accordingly.
Executive Order 13175
The National Indian Gaming Commission is committed to fulfilling
its tribal consultation obligations--whether directed by statute or
administrative action such as Executive Order (EO) 13175 (Consultation
and Coordination with Indian Tribal Governments)--by adhering to the
consultation framework described in its Consultation Policy published
July 15, 2013. Pursuant to the Order, the Commission engaged in
extensive consultation on this topic.
One comment received through consultation requested that Section
515.10 be revised to prevent the Commission from charging fees for the
first copy of a record or any portion of a record to an individual to
whom the record pertains.
The Commission disagrees and decided to keep the fee provisions as
initially presented. The Privacy Act allows agencies to establish fees
for duplication so long as there is no cost for searching or reviewing
the record. The Commission believes that the proposed regulation
appropriately places the cost of duplicating records on the requesting
individual and not on the Commission or tribes who fund its operations.
The same commenter also recommended that Section 515.11 clearly
state the penalties for providing a false statement under 18 U.S.C. 494
and 495.
The Commission disagrees. The proposed regulation identifies the
relevant statutes, which lay out the penalties for providing a false
statement. If the Commission were to clearly state the penalties
associated with those offenses, it would also be required to change its
regulations if Congress amended the penalties listed in those statutes.
The Commission prefers the approach in the proposed regulations, which
eliminates any need to update the provision in the future should the
penalties change.
Regulatory Flexibility Act: The Commission certifies that the
proposed rule will not have a significant economic impact on a
substantial number of small entities under the Regulatory Flexibility
Act (5 U.S.C. 601 et seq.). The factual basis for this certification is
as follows: This rule is procedural in nature and will not impose
substantive requirements that would be considered impacts within the
scope of the Act.
Unfunded Mandates Reform Act
The Commission is an independent regulatory agency, and, as such,
is exempt from the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.
Takings
In accordance with Executive Order 12630, the Commission has
determined that this proposed rule does not have significant takings
implications. A takings implication assessment is not required.
Civil Justice Reform
In accordance with Executive Order 12988, the Commission has
determined that the rule does not unduly burden the judicial system and
meets the requirements of sections 3(a) and 3(b)(2) of the Executive
Order.
Small Business Regulatory Enforcement Fairness Act
The proposed rule is not a major rule under 5 U.S.C. 804(2), the
Small Business Regulatory Enforcement Fairness Act. The proposed rule
will not result in an annual effect on the economy of more than $100
million per year; a major increase in costs or prices for consumers,
individual industries, Federal, State, or local government agencies, or
geographic regions; or significant adverse effects on competition,
employment, investment, productivity, innovation, or on the ability of
U.S. based enterprises.
Paperwork Reduction Act
The proposed rule does not contain any information collection
requirements for which the Office of Management and Budget approval
under the Paperwork Reduction Act (44 U.S.C. 3501-3520) would be
required.
National Environmental Policy Act
The Commission has determined that the proposed rule does not
constitute a major Federal Action significantly affecting the quality
of the human environment and that no detailed statement is required
pursuant to the National Environmental Policy Act of 1969.
List of Subjects in 25 CFR Part 515
Administrative practice and procedure, Privacy, Reporting and
recordkeeping.
[[Page 8141]]
0
For the reasons set forth in the preamble, the Commission revises part
25 CFR part 515 to read as follows:
PART 515--PRIVACY ACT PROCEDURES
Sec.
515.1 Purpose and scope.
515.2 Definitions.
515.3 Request for access to records.
515.4 Responsibility for responding to requests.
515.5 Responses to requests for access to records.
515.6 Request for amendment or correction of records.
515.7 Appeals of initial agency adverse determination.
515.8 Requests for an accounting of record disclosure.
515.9 Notice of court-ordered and emergency disclosures.
515.10 Fees.
515.11 Penalties.
515.12 [Reserved]
515.13 Specific exemptions.
Authority: 5 U.S.C. 552a
Sec. 515.1 Purpose and scope.
This part contains the regulations the National Indian Gaming
Commission (Commission) follows in implementing the Privacy Act of
1974. These regulations should be read together with the Privacy Act,
which provides additional information about records maintained on
individuals. The regulations in this part apply to all records
contained within systems of records maintained by the Commission that
are retrieved by an individual's name or personal identifier. They
describe the procedures by which individuals may request access to
records about themselves, request amendment or correction of those
records, and request an accounting of disclosures of those records by
the Commission. The Commission shall also process all Privacy Act
requests for access to records under the Freedom of Information Act
(FOIA), 5 U.S.C. 552, and the Commission's FOIA regulations contained
in 25 CFR part 517, which gives requesters maximum disclosure.
Sec. 515.2 Definitions.
For the purposes of this subpart:
(a) Individual means a citizen of the United States or an alien
lawfully admitted for permanent residence.
(b) Maintain means store, collect, use, or disseminate.
(c) Record means any item, collection, or grouping of information
about an individual that is maintained by the Commission, including
education, financial transactions, medical history, and criminal or
employment history, and that contains the individual's name, or
identifying number, symbol, or other identifier assigned to the
individual, such as social security number, finger or voice print, or
photograph.
(d) System of records means a group of any records under the
control of the Commission from which information is retrieved by the
name of the individual or by some identifying number, symbol, or other
identifier assigned to the individual.
(e) Routine use means use of a record for a purpose that is
compatible with the purpose for which it was collected.
(f) Working day means a Federal workday that does not include
Saturdays, Sundays, or Federal holidays.
Sec. 515.3 Request for access to records.
(a) How made and addressed. Any individual may make a request to
the Commission for access to records about him or herself. Such
requests shall conform to the requirements of this section. The request
may be made in person at 90 K Street NE., Suite 200, Washington, DC
20002 during the hours of 9 a.m. to 12 noon and 2 p.m. to 5 p.m. Monday
through Friday, in writing at NIGC Attn: Privacy Act Officer, C/O
Department of the Interior, 1849 C Street NW., Mail Stop #1621,
Washington, DC 20240, or via electronic mail addressed to
[email protected].
(b) Description of records sought. Each request for access to
records must describe the records sought in enough detail to enable
Commission personnel to locate the system of records containing them
with a reasonable amount of effort. Whenever possible, the request
should describe the records sought, the time periods in which the
records were compiled, any tribal gaming facility with which they were
associated, and the name or identifying number of each system of
records in which the records are kept.
(c) Agreement to pay fees. Requests shall also include a statement
indicating the maximum amount of fees the requester is willing to pay
to obtain the requested information. The requester must send
acknowledgment to the Privacy Act Officer indicating his/her
willingness to pay the fees. Absent such an acknowledgment within the
specified time frame, the request will be considered incomplete, no
further work shall be done, and the request will be administratively
closed.
(d) Verification of identity. When making a request for access to
records the individual seeking access must provide verification of
identity. The requester must provide a full name, current address, and
date and place of birth. The request must be signed and must either be
notarized or submitted under 28 U.S.C. 1746, which is a law that
permits statements to be made under penalty of perjury as a substitute
for notarization. In order to assist in the identification and location
of requested records, a request may also, at the requester's option,
include a social security number.
(e) Verification of guardianship. When making a request as a parent
or guardian of a minor or as the guardian of someone determined by a
court to be incompetent, for access to records about that individual,
the request must establish:
(1) The identity of the individual who is the subject of the record
by stating the name, current address, date and place of birth, and, at
the requester's option, the social security number of the individual;
(2) The requester's own identity, as required in paragraph (d) of
this section;
(3) That the requester is the parent or guardian of the individual
and proof of such relationship by providing a birth certificate showing
parentage or a court order establishing guardianship; and
(4) That the requester is acting on behalf of that individual in
making the request.
(f) Verification in the case of third party information requests.
Any individual who desires to have a record covered by this part
disclosed to or mailed to another person may designate such person and
authorize such person to act as his or her agent for that specific
purpose. The authorization shall be in writing, signed by the
individual whose record is requested, and notarized or witnessed as
provided in paragraph (d) of this section.
(g) In-person disclosures. An individual to whom a record is to be
disclosed in person, pursuant to this section, may have a person of his
or her own choosing accompany him or her when the record is disclosed.
If a requester is accompanied by another individual, the requester
shall be required to authorize in writing any discussion of the records
in the presence of the other person.
Sec. 515.4 Responsibility for responding to requests.
(a) In general. In determining which records are responsive to a
request, the Commission ordinarily will include only records in its
possession as of the date it begins its search for records. If any
other date is used, the Privacy Act Officer shall inform the requester
of that date.
(b) Authority to grant or deny requests. The Privacy Act Officer
shall
[[Page 8142]]
make initial determinations either to grant or deny in whole or in part
access to records.
(c) Consultations and referrals. When the Commission receives a
request for a record in its possession, the Privacy Act Officer shall
determine whether another agency of the Federal Government is better
able to determine whether the record is exempt from disclosure under
the Privacy Act. If the Privacy Act Officer determines that it is best
able to process the record in response to the request, then it shall do
so. If the Privacy Act Officer determines that it is not best able to
process the record, then it shall either:
(1) Respond to the request regarding that record, after consulting
with the agency best able to determine whether to disclose it and with
any other agency that has a substantial interest in it; or
(2) Refer the responsibility for responding to the request
regarding that record to the agency best able to determine whether to
disclose it, or to another agency that originated the record.
Ordinarily, the agency that originated a record will be presumed to be
best able to determine whether to disclose it.
(d) Notice of referral. Whenever the Privacy Act Officer refers all
or any part of the responsibility for responding to a request to
another agency, it ordinarily shall notify the requester of the
referral and inform the requester of the name of each agency to which
the request has been referred and of the part of the request that has
been referred.
Sec. 515.5 Responses to requests for access to records.
(a) Acknowledgement of requests. Upon receipt of a request, the
Privacy Act Officer ordinarily shall, within 20 working days, send an
acknowledgement letter which shall confirm the requester's agreement to
pay fees under Sec. 515.9 and provide an assigned request number.
(b) Grants of requests for access. Once the Privacy Act Officer
makes a determination to grant a request for access in whole or in
part, it shall notify the requester in writing. The notice shall inform
the requester of any fee charged under Sec. 515.9 of this part and the
Privacy Act Officer shall disclose records to the requester promptly on
payment of any applicable fee. If a request is made in person, the
Privacy Act Officer will disclose the records to the requester
directly, in a manner not unreasonably disruptive of its operations, on
payment of any applicable fee and with a written record made of the
grant of the request. If a requester is accompanied by another
individual, the requester shall be required to authorize in writing any
discussion of the records in the presence of the other person.
(c) Adverse determinations of requests for access. If the Privacy
Act Officer makes any adverse determination denying a request for
access in any respect, it shall notify the requester of that
determination in writing. The notification letter shall be signed by
the official making the determination and include:
(1) The name and title of the person responsible for the denial;
(2) A brief statement of the reason(s) for the denial, including
any Privacy Act exemption(s) applied to the denial;
(3) A statement that the denial may be appealed under Sec. 515.7
and a description of the requirements of Sec. 515.7.
Sec. 515.6 Request for amendment or correction of records.
(a) How made and addressed. An individual may make a request for an
amendment or correction to a Commission record about that individual by
writing directly to the Privacy Act Officer, following the procedures
in Sec. 515.3. The request should identify each particular record in
question, state the amendment or correction that is sought, and state
why the record is not accurate, relevant, timely, or complete. The
request may include any documentation that would be helpful to
substantiate the reasons for the amendment sought.
(b) Privacy Act Officer response. The Privacy Act Officer shall,
not later than 10 working days after receipt of a request for an
amendment or correction of a record, acknowledge receipt of the request
and provide notification of whether the request is granted or denied.
If the request is granted in whole or in part, the Privacy Act Officer
shall describe the amendment or correction made and shall advise the
requester of the right to obtain a copy of the amended or corrected
record. If the request is denied in whole or in part, the Privacy Act
Officer shall send a letter signed by the denying official stating:
(1) The reason(s) for the denial; and
(2) The procedure for appeal of the denial under paragraph (c) of
this section.
(c) Appeals. A requester may appeal a denial of a request for
amendment or correction in the same manner as a denial of a request for
access as described in Sec. 515.7. If the appeal is denied, the
requester shall be advised of the right to file a Statement of
Disagreement as described in paragraph (d) of this section and of the
right under the Privacy Act for judicial review of the decision.
(d) Statements of Disagreement. If the appeal under this section is
denied in whole or in part, the requester has the right to file a
Statement of Disagreement that states the reason(s) for disagreeing
with the Privacy Act Officer's denial of the request for amendment or
correction. Statements of Disagreement must be concise, must clearly
identify each part of any record that is disputed, and should be no
longer than one typed page for each fact disputed. The Statement of
Disagreement shall be placed in the system of records in which the
disputed record is maintained and the record shall be marked to
indicate a Statement of Disagreement has been filed.
(e) Notification of amendment, correction, or disagreement. Within
30 working days of the amendment or correction of the record, the
Privacy Act Officer shall notify all persons, organizations, or
agencies to which it previously disclosed the record, and if an
accounting of that disclosure was made, that the record has been
amended or corrected. If a Statement of Disagreement was filed, the
Commission shall append a copy of it to the disputed record whenever
the record is disclosed and may also append a concise statement of its
reason(s) for denying the request to amend the record.
(f) Records not subject to amendment. Section 515.13 lists the
records that are exempt from amendment or correction.
Sec. 515.7 Appeals of initial adverse agency determination.
(a) Adverse determination. An initial adverse agency determination
of a request may consist of: A determination to withhold any requested
record in whole or in part; a determination that a requested record
does not exist or cannot be located; a determination that the requested
record is not a record subject to the Privacy Act; a determination that
a record will not be amended; a determination to deny a request for an
accounting; a determination on any disputed fee matter; and any
associated denial of a request for expedited treatment under the
Commission's FOIA regulations.
(b) Appeals. If the Privacy Act Officer issues an adverse
determination in response to a request, the requester may file a
written notice of appeal. The notice shall be accompanied by the
original request, the initial adverse determination that is being
appealed, and a statement describing why the adverse determination was
in error. The appeal shall be addressed to the Privacy
[[Page 8143]]
Act Appeals Officer at the locations listed in Sec. 515.3 of this part
no later than 90 calendar days after the date of the letter denying the
request. Both the appeal letter and envelope should be marked ``Privacy
Act Appeal.'' Any Privacy Act appeals submitted via electronic mail
should state ``Privacy Act Appeal'' in the subject line.
(c) Responses to appeals. The decision on appeal will be made in
writing within 20 working days of receipt of the notice of appeal by
the Privacy Act Appeals Officer. For good cause shown, however, the
Privacy Act Appeals Officer may extend the 30 working day period. If
such an extension is taken, the requester shall be promptly notified of
such extension and the anticipated date of decision. A decision
affirming an adverse determination in whole or in part will include a
brief statement of the reason(s) for the determination, including any
Privacy Act exemption(s) applied. If the adverse determination is
reversed or modified in whole or in part, the requester will be
notified in a written decision and the request will be reprocessed in
accordance with that appeal decision. The response to the appeal shall
also advise of the right to institute a civil action in a Federal
district court for judicial review of the decision.
(d) When appeal is required. In order to institute a civil action
in a federal district court for judicial review of an adverse
determination, a requester must first appeal it under this section.
Sec. 515.8 Requests for an accounting of record disclosure.
(a) How made and addressed. Subject to the exceptions listed in
paragraph (b) of this section, an individual may make a request for an
accounting of the disclosures of any record about that individual that
the Commission has made to another person, organization, or agency. The
accounting contains the date, nature and purpose of each disclosure, as
well as the name and address of the person, organization, or agency to
which the disclosure was made. The request for an accounting should
identify each particular record in question and should be made in
writing to the Commission's Privacy Act Officer, following the
procedures in Sec. 515.3.
(b) Where accountings are not required. The Commission is not
required to provide an accounting where they relate to:
(1) Disclosures for which accountings are not required to be kept,
such as those that are made to employees of the Commission who have a
need for the record in the performance of their duties and disclosures
that are made under section 552 of title 5;
(2) Disclosures made to law enforcement agencies for authorized law
enforcement activities in response to written requests from those law
enforcement agencies specifying the law enforcement activities for
which the disclosures are sought; or
(3) Disclosures made from law enforcement systems of records that
have been exempted from accounting requirements.
(c) Appeals. A requester may appeal a denial of a request for an
accounting in the same manner as a denial of a request for access as
described in Sec. 515.7 of this part and the same procedures will be
followed.
(d) Preservation of accountings. All accountings made under this
section will be retained for at least five years or the life of the
record, whichever is longer, after the disclosure for which the
accounting is made.
Sec. 515.9 Notice of court-ordered and emergency disclosures.
(a) Court-ordered disclosures. When a record pertaining to an
individual is required to be disclosed by a court order, the Privacy
Act Officer shall make reasonable efforts to provide notice of this to
the individual. Notice shall be given within a reasonable time after
the Privacy Act Officer's receipt of the order--except that in a case
in which the order is not a matter of public record, the notice shall
be given only after the order becomes public. This notice shall be
mailed to the individual's last known address and shall contain a copy
of the order and a description of the information disclosed. Notice
shall not be given if disclosure is made from a criminal law
enforcement system of records that has been exempted from the notice
requirement.
(b) Emergency disclosures. Upon disclosing a record pertaining to
an individual made under compelling circumstances affecting health or
safety, the Privacy Act Officer shall, within a reasonable time, notify
that individual of the disclosure. This notice shall be mailed to the
individual's last known address and shall state the nature of the
information disclosed; the person, organization, or agency to which it
was disclosed; the date of disclosure; and the compelling circumstances
justifying disclosure.
Sec. 515.10 Fees.
The Commission shall charge fees for duplication of records under
the Privacy Act in the same way in which it charges duplication fees
under Sec. 517.9 of this part. No search or review fee may be charged
for any record. Additionally, when the Privacy Act Officer makes a copy
of a record as a necessary part of reviewing the record or granting
access to the record, the Commission shall not charge for the cost of
making that copy. Otherwise, the Commission may charge a fee sufficient
to cover the cost of duplicating a record.
Sec. 515.11 Penalties.
Any person who makes a false statement in connection with any
request for access to a record, or an amendment thereto, under this
part, is subject to the penalties prescribed in 18 U.S.C. 494 and 495.
Sec. 515.12 [Reserved]
Sec. 515.13 Specific exemptions.
(a) The following systems of records are exempt from 5 U.S.C.
552a(c)(3), (d), (e)(1) and (f):
(1) Indian Gaming Individuals Records System.
(2) Management Contract Individuals Record System.
(b) The exemptions under paragraph (a) of this section apply only
to the extent that information in these systems is subject to exemption
under 5 U.S.C. 552a(k)(2). When compliance would not appear to
interfere with or adversely affect the overall responsibilities of the
Commission, with respect to licensing of key employees and primary
management officials for employment in an Indian gaming operation or
verifying the suitability of an individual who has a financial interest
in, or management responsibility for a management contract, the
applicable exemption may be waived by the Commission.
(c) Exemptions from the particular sections are justified for the
following reasons:
(1) From 5 U.S.C. 552a(c)(3), because making available the
accounting of disclosures to an individual who is the subject of a
record could reveal investigative interest. This would permit the
individual to take measures to destroy evidence, intimidate potential
witnesses, or flee the area to avoid the investigation.
(2) From 5 U.S.C. 552a(d), (e)(1), and (f) concerning individual
access to records, when such access could compromise classified
information related to national security, interfere with a pending
investigation or internal inquiry, constitute an unwarranted invasion
of privacy, reveal a sensitive investigative technique, or pose a
potential threat to the Commission or its employees or to law
enforcement personnel. Additionally, access could
[[Page 8144]]
reveal the identity of a source who provided information under an
express promise of confidentiality.
(3) From 5 U.S.C. 552a(d)(2), because to require the Commission to
amend information thought to be incorrect, irrelevant, or untimely,
because of the nature of the information collected and the length of
time it is maintained, would create an impossible administrative and
investigative burden by continually forcing the Commission to resolve
questions of accuracy, relevance, timeliness, and completeness.
(4) From 5 U.S.C. 552a(e)(1) because:
(i) It is not always possible to determine relevance or necessity
of specific information in the early stages of an investigation.
(ii) Relevance and necessity are matters of judgment and timing in
that what appears relevant and necessary when collected may be deemed
unnecessary later. Only after information is assessed can its relevance
and necessity be established.
(iii) In any investigation the Commission may receive information
concerning violations of law under the jurisdiction of another agency.
In the interest of effective law enforcement and under 25 U.S.C.
2716(b), the information could be relevant to an investigation by the
Commission.
(iv) In the interviewing of individuals or obtaining evidence in
other ways during an investigation, the Commission could obtain
information that may or may not appear relevant at any given time;
however, the information could be relevant to another investigation by
the Commission.
Dated: December 30, 2016.
Jonodev Chaudhuri,
Chairman.
Kathryn Isom-Clause,
Vice-Chair.
Sequoyah Simermeyer,
Commissioner.
[FR Doc. 2017-00585 Filed 1-23-17; 8:45 am]
BILLING CODE 7565-01-P