[Federal Register Volume 88, Number 185 (Tuesday, September 26, 2023)]
[Rules and Regulations]
[Pages 65807-65815]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-20690]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 200

[Release No. 34-98437; PA-60; File No. S7-03-23]
RIN 3235-AN21


The Commission's Privacy Act Regulations

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'' or 
``SEC'') is adopting amendments to the Commission's regulations under 
the Privacy Act of 1974, as amended (``Privacy Act''). The amendments 
revise the Commission's regulations under the Privacy Act to clarify, 
update, and streamline the language of several procedural provisions.

DATES: Effective: October 26, 2023.

FOR FURTHER INFORMATION CONTACT: Ray McInerney, FOIA/PA Officer, Office 
of FOIA Services, (202) 551-6249; Securities and Exchange Commission, 
100 F Street NE, Washington, DC 20549-5041.

SUPPLEMENTARY INFORMATION:

I. Introduction

    On February 14, 2023, the Commission proposed amendments to its 
existing regulations under the Privacy Act, 5 U.S.C. 552a,\1\ to 
reflect changes to clarify, update, and streamline the language of 
several procedural provisions. The Commission received sixteen comments 
on the proposed amendments, eleven of which were unrelated to the 
proposed rule. After consideration of the comments received, the 
Commission is adopting the amendments to its Privacy Act regulations as 
proposed. This final rule replaces the Commission's existing Privacy 
Act regulations in their entirety (17 CFR 200.301 through 200.313).
---------------------------------------------------------------------------

    \1\ See Release No. 34-96906 (Feb. 14, 2023), 88 FR 10483 (Feb. 
21, 2023) (``Proposing Release'').
---------------------------------------------------------------------------

II. Amendments

A. Amendments To Update, Clarify, and Streamline the Privacy Act 
Regulations

    The Commission is adopting amendments to certain procedural 
provisions to clarify, update, and streamline the Commission's Privacy 
Act regulations.\2\ The final rule, among other things: clarifies the 
purpose and scope of the regulations (Section 200.301); updates 
definitions so that the processes set forth in the regulations are more 
plainly described (17 CFR 200.302); simplifies the processes for 
submitting and receiving responses to Privacy Act inquiries, requests, 
and administrative appeals (17 CFR 200.303, 305, 306, 307, and 308); 
allows for requesters to electronically verify their identities, 
including by facsimile, email, or an online Commission form (17 CFR 
200.303); provides for a shorter Commission response time to Privacy 
Act inquiries as to whether a specific system of records maintained by 
the Commission contains a record pertaining to the requester, which 
aligns with other relevant time lines (17 CFR 200.304); updates agency 
contact information (e.g., office names, facsimile numbers, email 
addresses, and physical addresses) (17 CFR 200.303, 305, 308, and 309); 
and updates the list of Commission systems of records that have 
promulgated rules exempting certain records from certain provisions of 
the Privacy Act (17 CFR 200.310).
---------------------------------------------------------------------------

    \2\ These amendments are discussed in greater detail in Section 
IV. Economic Analysis.

---------------------------------------------------------------------------

[[Page 65808]]

B. Revisions to Fee Provisions

    The final rule updates the fee provisions to reflect existing 
practice with respect to charging fees for duplicating documents. 
Duplication rates are available on the Office of FOIA Services' fee 
page on the Commission's website. The duplication fees currently posted 
on the website reflect the direct costs to the Commission of producing 
a copy, whether in paper or electronic format, taking into account 
various factors including the salary of the employee(s) performing the 
work and the cost of materials. The Office of FOIA Services does not 
charge for providing existing electronic records because such a 
production does not require duplication processes, such as scanning or 
commercial copying of hard copies that impose direct costs on the 
Commission. The duplication fee posted on the Commission's website is 
adjusted as appropriate to reflect current costs.
    The final rule also codifies the existing practice of charging 
requesters the direct costs associated with making records available on 
electronic storage devices, as presently reflected on the Commission's 
FOIA fee website. Further, the final rule allows for providing 
requesters with one free copy of each record amended or corrected 
pursuant to a request for amendment or correction.

C. Elimination of Certain Provisions

    The amendments eliminate certain provisions from the existing 
regulations, as well as two Sections in their entirety. The deleted 
provisions either restate language in the Privacy Act, and thus do not 
require elaboration in the Commission's regulations; have been 
incorporated into other provisions within the final rule; or are 
otherwise unnecessary. The amendments remove the following provisions 
of the existing rule:

    Title 17, section 200.305: This provision, which provides 
special procedures for requests for medical records, is unnecessary 
as the medical records the Commission typically maintains, whether 
about Commission staff or other individuals, are generally available 
to those individuals through other means, and the Commission has 
never used special procedures for medical records in connection with 
Privacy Act requests.
    Title 17, section 200.307(b): This provision restates the 
standards applied in reviewing requests for amendment or correction 
of records. These standards are set forth in the Privacy Act. 
Therefore, it is unnecessary to restate them in the Commission's 
regulations.
    Title 17, section 200.309(a): This provision describes the 
standards for extending time to respond to requests. This section 
uses language from the Freedom of Information Act (5 U.S.C. 
552(a)(6)(B)(iii)) rather than the Privacy Act. Title 17, sections 
200.304(d)(1), 304(d)(2)(ii), 307(b), and 309(a)(3) of the final 
rule contain information about extensions of time based on the 
requirements of the Privacy Act.
    Title 17, sections 200.309(b), (c), (d), and (e): These 
provisions are unnecessary as they are not contemplated by the 
statute, are covered elsewhere in the final rule, or are obsolete 
due to changes in technology affecting how Privacy Act requests are 
processed.
    Title 17, section 200.311: This provision restates the statutory 
penalties set forth in the Privacy Act (5 U.S.C. 552a(i)). 
Accordingly, recitation within Commission regulations is 
unnecessary.

D. Addition of Provisions

    The final amendments add a provision for processing requests by 
individuals for an accounting of certain record disclosures about the 
requester, to include the date, nature, and purpose of each disclosure, 
that the Commission has made available to another person, organization, 
or agency (17 CFR 200.307 of the final rule). While the statute allows 
for individuals to request such an accounting (5 U.S.C. 552a(c)(3)), 
the Commission's existing rule has no such provision. The final rule 
also includes a provision that formally implements a 90-day time period 
for requesters to file administrative appeals (17 CFR 200.308 of the 
final rule). The 90-day period is appropriate because Privacy Act 
requests for access to records are concurrently processed as Freedom of 
Information Act (``FOIA'') requests and the FOIA sets forth a 90-day 
deadline to file an administrative appeal. Because of the overlap with 
FOIA, Privacy Act requesters are currently informed they have 90 days 
to file an administrative appeal in response to an adverse decision. 
The final rule codifies this current procedure.

E. Public Comments

    The Commission received 16 comments in response to the proposed 
rulemaking. Eleven of the comments concerned subjects that were 
unrelated to the proposed rule and the Privacy Act in general.\3\ Four 
comments approved of the proposed rule in its entirety.\4\
---------------------------------------------------------------------------

    \3\ See, e.g., comments from Anonymous, dated Feb. 22, 2023; 
comments from Vince Navarro, dated Feb. 23, 2023; comments from 
Jonathan Dinkel, dated Mar. 1, 2023; comments from Household Harry, 
dated Mar. 1, 2023; comments from Chris Carrington, dated Mar. 5, 
2023; comments from Curtis Higgins, dated Mar. 6, 2023; comments 
from D Skewis, dated Mar. 7, 2023; comments from Nick, dated Mar. 
19, 2023; comments from Curtis, dated Mar. 23, 2023; comments 
Nathaniel Moraton, dated Apr. 7, 2023; and comments from Alexander 
MacCartney, dated Apr. 17, 2023.
    \4\ See, e.g., comments from Nick Ahlers, dated Feb. 24, 2023; 
comments from Angel Rodriguez, dated Feb. 27, 2023; comments from 
Richard Russell, dated Mar. 1, 2023; and comments from Bernie 
Bankman Griffin, dated Mar. 6, 2023.
---------------------------------------------------------------------------

    One commenter supported several provisions in the proposed rule, 
but expressed concern regarding revisions to the fee provisions.\5\ 
Specifically, the commenter indicated that charging requesters the 
direct costs associated with making records available on electronic 
storage devices might ``potentially discourage individuals from 
exercising their rights under the Privacy Act, particularly those who 
may not have the financial means to pay for the direct costs associated 
with obtaining records.'' \6\ The overwhelming majority of records that 
are responsive to Privacy Act requests are provided in electronic 
format. The Office of FOIA Services does not charge for providing 
existing electronic records unless the volume of electronic records is 
such that production requires an electronic storage device. Although 
the Office of FOIA Services requires fees for production of records on 
an electronic storage device, no such fees were charged from 2015 
through 2022. Typically, production of voluminous electronic records 
can be accomplished with secure file sharing platforms. Electronic 
storage devices would only be used at the election of the requester, 
and we expect such a request would be made only if the cost would not 
be a significant impediment. The Commission collected no fees for 
processing Privacy Act requests during fiscal years 2015 through 2022, 
whether electronic or otherwise. The Commission is not making any 
changes in response to this comment because it anticipates that it will 
generally be able to produce even voluminous electronic records with 
file sharing platforms.
---------------------------------------------------------------------------

    \5\ See Gillmore comment, dated Feb. 24, 2023.
    \6\ Id.
---------------------------------------------------------------------------

    The same commenter also expressed concern that that the deletion of 
certain provisions within the existing regulations would eliminate 
protections to individuals' privacy rights.\7\ As an example, the 
commenter stated that the deletion of 17 CFR 200.305 might make it more 
difficult for individuals to access their records.\8\ Under the 
existing rule at 17 CFR 200.305, the Commission may require the 
requester to submit a signed statement by a physician or a mental 
health professional or the Commission may initially disclose the 
records to a physician or a mental health professional for their 
review. Obtaining a statement from a physician or mental health 
professional and/or

[[Page 65809]]

having a physician or mental health professional review an individual's 
records prior to disclosure would result in additional processing time. 
Deletion of existing 17 CFR 200.305 will make it easier for a requester 
to obtain their records. Therefore, the Commission is not making any 
changes from its proposal in response to this comment.
---------------------------------------------------------------------------

    \7\ Id.
    \8\ Id.
---------------------------------------------------------------------------

III. Other Matters

    If any of the provisions of these rules, or the application thereof 
to any person or circumstance, is held to be invalid, such invalidity 
shall not affect other provisions or application of such provisions to 
other persons or circumstances that can be given effect without the 
invalid provision or application.
    Pursuant to the Congressional Review Act, the Office of Information 
and Regulatory Affairs has designated these rules as not a ``major 
rule,'' as defined by 5 U.S.C. 804(2).

IV. Economic Analysis

    The Commission is sensitive to the economic effects, including the 
costs and benefits that result from its rules. Section 23(a)(2) of the 
Securities Exchange Act of 1934 (``Exchange Act'') requires the 
Commission, in making rules pursuant to any provision of the Exchange 
Act, to consider among other matters the impact any such rule would 
have on competition and prohibits any rule that would impose a burden 
on competition that is not necessary or appropriate in furtherance of 
the purposes of the Exchange Act.\9\ Further, Section 3(f) of the 
Exchange Act requires the Commission, when engaging in rulemaking where 
it is required to consider or determine whether an action is necessary 
or appropriate in the public interest, to consider, in addition to the 
protection of investors, whether the action will promote efficiency, 
competition, and capital formation.\10\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 78w(a).
    \10\ 15 U.S.C. 78c(f).
---------------------------------------------------------------------------

    As explained in the Proposing Release and discussed further below, 
the Commission believes that the economic effects of the final rule 
will be limited. The Commission notes that, where possible, it has 
attempted to quantify the costs, benefits, and effects on efficiency, 
competition, and capital formation expected to result from the final 
amendments. In some cases, however, the Commission is unable to 
quantify the economic effects because it lacks the information 
necessary to provide a reasonable estimate. Additionally, some of the 
potential benefits of the amendments are inherently difficult to 
quantify.
    The final amendments fall into four categories: (1) revisions to 
procedural provisions; (2) revisions to certain fee provisions; (3) the 
elimination of certain unnecessary provisions; and (4) the addition of 
a new provision for requesting an accounting of record disclosures. We 
discuss each of these in turn below.
    First, we are amending certain procedural provisions. Most of these 
changes codify existing practice, including: (1) adding methods for 
submitting Privacy Act inquiries, requests, and administrative appeals; 
(2) clarifying the procedures for submitting requests for information 
or records about oneself; (3) clarifying certain procedures for 
verification of identity, including options available for in-person or 
not in-person verification and necessary documentation; (4) clarifying 
procedures for submitting an administrative appeal; (5) codifying the 
existing practice of providing requesters 90 days to file an 
administrative appeal; and (6) correctly identifying the Commission 
systems of records that are exempt under the Privacy Act.\11\ We 
believe that adoption of the final rule will have minimal impact on 
Privacy Act requesters because it largely codifies existing practices. 
Adoption of the final rule could benefit the public and improve 
efficiency by decreasing the time in which the Commission responds to 
inquiries, requests, and appeals.
---------------------------------------------------------------------------

    \11\ One of the systems of records identified in the existing 
rule is obsolete. Another system of records had its name changed, 
and a new system of records was added.
---------------------------------------------------------------------------

    Furthermore, these amendments may reduce potential confusion among 
Privacy Act requesters with regard to certain existing procedures, 
which could further benefit the public. In particular, because Privacy 
Act requests for access to records are also processed as FOIA requests 
and the FOIA sets forth a 90-day deadline to file an administrative 
appeal, Privacy Act requesters are currently informed they have 90 days 
to file an administrative appeal in response to an adverse decision. We 
believe that codifying this existing practice would benefit requesters 
by removing any uncertainty as to when appeals must be filed. In 
addition, with respect to the provisions on verification of identity, 
the amendments also explicitly provide for an alternative electronic 
identification option through processes made available on the 
Commission's website. By clarifying and supplementing the available 
options for verification, these amendments may allow requesters to more 
efficiently choose a verification process that is most appropriate for 
them. We do not expect the amendments to the procedural provisions to 
result in additional costs to any member of the public.
    Second, we are revising the provision concerning fees charged for 
duplication. This includes: (1) determining duplication fees based on 
the direct cost to the Commission as set forth on the FOIA fee page on 
the Commission's website; (2) codifying the existing practice of 
charging requesters the direct costs associated with making records 
available on electronic storage devices; and (3) clarifying that 
requesters will receive one free copy of each record corrected or 
amended pursuant to a request for amendment.
    The amendments to the fee procedures would benefit Privacy Act 
requesters by removing potential confusion about the cost of obtaining 
records and the cost of making records available on electronic storage 
devices. We do not anticipate that any of the changes to the fee 
procedures would impose significant new costs on Privacy Act requesters 
or have any other economic impact.
    Prior to July 2018, duplication costs for FOIA and Privacy Act 
requesters were 24 cents per page as set by contract with a commercial 
copier. Since that time, duplication costs have been set at 15 cents 
per page, which reflects the direct cost to the Commission. Duplication 
fees may change in the future, to the extent that the Commission's 
direct costs for duplicating materials increase or decrease.
    The table below shows the number of Privacy Act requests processed 
by the Commission during fiscal years 2015 through 2022 and that, 
during those years, the Commission collected no fees for processing 
requests received under the Privacy Act.

------------------------------------------------------------------------
                                                          Fees collected
                 Fiscal year                   Requests   for processing
                                               processed     requests
------------------------------------------------------------------------
2015........................................         134           $0.00
2016........................................         155            0.00
2017........................................          95            0.00
2018........................................         283            0.00
2019........................................         162            0.00
2020........................................         159            0.00
2021........................................         255            0.00
2022........................................         261            0.00
------------------------------------------------------------------------

    From fiscal years 2015 through 2022 requesters were not charged 
fees because either no records were provided or the requester was 
provided with

[[Page 65810]]

existing electronic records, for which a fee is not charged. There were 
no requests processed that required production of hard copy records, 
the scanning of hard copies, or production in another media, such as an 
electronic storage device, and, consequently, no requests that would 
have imposed direct costs on the Commission.
    Given the lack of chargeable duplication fees in recent years, the 
Commission anticipates that the changes to duplication fees (including 
fees for producing materials in electronic format) would not result in 
significant additional costs for requesters. Further, these amendments 
largely codify existing practices regarding fees for duplication and 
production on other types of media and, like the existing regulations, 
do not charge fees for searching or retrieving records. As noted, one 
commenter indicated that charging requesters the direct costs 
associated with making records available on electronic storage devices 
might ``potentially discourage individuals from exercising their rights 
under the Privacy Act, particularly those who may not have the 
financial means to pay for the direct costs associated with obtaining 
records.'' \12\ However, as discussed, this amendment codifies existing 
practice. Moreover, from 2015 to 2022, no such fees were charged. 
Accordingly, we do not expect significant changes in incentives for 
requesters to make a request under the Privacy Act.
---------------------------------------------------------------------------

    \12\ See Gillmore comment, dated Feb. 24, 2023.
---------------------------------------------------------------------------

    The final rule clarifies that requesters will receive one free copy 
of each record corrected or amended pursuant to a request for 
amendment. This revision codifies an existing practice and would 
therefore not impose any additional burden on requesters.
    Third, the Commission is eliminating certain provisions in its 
Privacy Act regulations. The Commission does not anticipate that the 
removal of 17 CFR 200.305 will have any meaningful economic effects. 
The existing provision provides special procedures for requests for 
medical records, but the medical records the Commission typically 
maintains, whether about Commission staff or other individuals, are 
generally available to those individuals through other means, and the 
Commission has never used special procedures for medical records in 
connection with Privacy Act requests. One commenter indicated that the 
deletion of this provision might make it more difficult for requestors 
to obtain medical records; \13\ however, as noted above, requestors 
would still be able to access these records directly, which would 
involve less time than using the process outlined in existing 17 CFR 
200.305. The Commission does not expect the elimination of 17 CFR 
200.307(b) and 200.311 to result in any economic effects because they 
restate language in the Privacy Act.
---------------------------------------------------------------------------

    \13\ Id.
---------------------------------------------------------------------------

    There would also be minimal economic effects from the elimination 
of 17 CFR 200.309(a), which describes the standards for extending time 
to respond to requests, because other provisions in the final rule (17 
CFR 200.304(d), 200.306(b), and 200.307(d)) address the procedures and 
reasons for extending the time to respond to inquiries and requests. 
Similarly, the Commission does not expect the elimination of 17 CFR 
200.309(c) and 200.309(d) to result in meaningful economic effects. 
These provisions require giving notice to a requester when delay will 
result from the fact that the subject records are in use by a member of 
the Commission or its staff and when records are lost. The final rule 
would require the Office of FOIA Services to notify requesters of 
reasons for delay and of the fact that a record does not exist, so the 
specific information in 17 CFR 200.309(c) and 200.309(d) is 
duplicative.
    The elimination of 17 CFR 200.309(b) would remove the concept of an 
``effective date of action'' as it relates to mailing acknowledgements 
or responses by the Commission. This amendment could increase the 
Commission's flexibility in acknowledging or responding to requests 
while also potentially increasing uncertainty for requesters, but these 
effects would only be realized to the extent that requesters and the 
Commission rely on mail to make and respond to requests, and the 
Commission expects that use of mail will be infrequent going forward 
because most communications with requesters occur by email.
    The elimination of 17 CFR 200.309(e)(1), which prohibits oral 
requests, would have no substantive effect, because the existing 
regulations, like the final rule, elsewhere require Privacy Act 
requests to be made in writing. The elimination of 17 CFR 
200.309(e)(2), which states that a misdirected request will be deemed 
received only once it is received by a Privacy Act Officer and that an 
appeal will not be considered unless the request was in fact received 
by a Privacy Act Officer, removes an unnecessary provision because the 
final rule at 17 CFR 200.303(a) and 200.305(a) has the same effect by 
requiring that requesters use the methods described in the final rule 
to submit a Privacy Act inquiry or request.
    Finally, the Commission is adding a provision outlining the 
procedure for making requests for an accounting of record disclosures. 
The existing rules do not provide for such a procedure, although the 
Commission is obligated, by statute, to provide such information upon 
request.\14\ This provision would reduce the potential confusion among 
Privacy Act requesters about the exact procedure that they would have 
to follow with regard to this type of request, and therefore this 
provision would generally benefit the public. Furthermore, by providing 
clarity about the procedure that would have to be followed when 
requesting an accounting of record disclosures, the provision would 
likely reduce the cost to the public of submitting this type of 
request.
---------------------------------------------------------------------------

    \14\ 5 U.S.C. 552a(c)(3).
---------------------------------------------------------------------------

    The Commission requested comments on all aspects of the benefits 
and costs of the proposal. After evaluating all comments, the 
Commission continues to believe that the amendments to the Commission's 
Privacy Act regulations will not have any significant impact on 
competition or capital formation and may result in a slight improvement 
in operational efficiency.

V. Regulatory Flexibility Act Certification

    Pursuant to Section 605(b) of the Regulatory Flexibility Act of 
1980,\15\ the Commission certified that, when adopted, the amendments 
to 17 CFR 200.301 through 200.313 would not have a significant economic 
impact on a substantial number of small entities. This certification, 
including our basis for the certification, was included in the 
proposing release. The Commission solicited comments on the 
appropriateness of its certification, but received none. The Commission 
is adopting the final rules in the form published in the Proposing 
Release.
---------------------------------------------------------------------------

    \15\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------

VI. Paperwork Reduction Act

    The Commission stated in the Proposing Release that the proposed 
amendments to the Privacy Act regulations do not contain any collection 
of information as defined by the Paperwork Reduction Act of 1995 
(``PRA'').\16\ The Commission also determined that the proposed 
amendments would not create any new filing, reporting, recordkeeping, 
or disclosure reporting requirements. Accordingly, the Commission did 
not submit the proposed amendments to the

[[Page 65811]]

Office of Management and Budget for review under the PRA.\17\ The 
Commission solicited comments on whether its conclusion that there are 
no new collections of information is correct, and it did not receive 
any comments.
---------------------------------------------------------------------------

    \16\ 44 U.S.C. 3501 et seq.
    \17\ 44 U.S.C. 3507(d) and 5 CFR 1320.11.
---------------------------------------------------------------------------

Statutory Authority

    The amendments contained herein are being adopted under the 
authority set forth in 5 U.S.C. 552a(f), 552a(j), 552a(k); and 15 
U.S.C. 78d-1 and 78w(a).

List of Subjects in 17 CFR Part 200

    Administrative practice and procedure; Privacy Act.

Text of Amendments

    For the reasons stated in the preamble, the Commission is amending 
title 17, chapter II of the Code of Federal Regulations as follows:

PART 200--ORGANIZATION; CONDUCT AND ETHICS; AND INFORMATION AND 
REQUESTS

0
1. The authority citation for part 200 continues to read as follows:

    Authority:  5 U.S.C. 552, 552a, 552b, and 557; 11 U.S.C. 901 and 
1109(a); 15 U.S.C. 77c, 77e, 77f, 77g, 77h, 77j, 77o, 77q, 77s, 77u, 
77z-3, 77ggg(a), 77hhh, 77sss, 77uuu, 78b, 78c(b), 78d, 78d-1, 78d-
2, 78e, 78f, 78g, 78h, 78i, 78k, 78k-1, 78l, 78m, 78n, 78o, 78o-4, 
78q, 78q-1, 78w, 78t-1, 78u, 78w, 78ll(d), 78mm, 78eee, 80a-8, 80a-
20, 80a-24, 80a-29, 80a-37, 80a-41, 80a-44(a), 80a-44(b), 80b-3, 
80b-4, 80b-5, 80b-9, 80b-10(a), 80b-11, 7202, and 7211 et seq.; 29 
U.S.C. 794; 44 U.S.C. 3506 and 3507; Reorganization Plan No. 10 of 
1950 (15 U.S.C. 78d nt); sec. 8G, Pub. L. 95-452, 92 Stat. 1101 (5 
U.S.C. App.); sec. 913, Pub. L. 111-203, 124 Stat. 1376, 1827; sec. 
3(a), Pub. L. 114-185, 130 Stat. 538; E.O. 11222, 30 FR 6469, 3 CFR, 
1964-1965 Comp., p. 36; E.O. 12356, 47 FR 14874, 3 CFR, 1982 Comp., 
p. 166; E.O. 12600, 52 FR 23781, 3 CFR, 1987 Comp., p. 235; 
Information Security Oversight Office Directive No. 1, 47 FR 27836; 
and 5 CFR 735.104 and 5 CFR parts 2634 and 2635, unless otherwise 
noted.
* * * * *

0
2. Subpart H is revised to read as follows:
Subpart H--Regulations Pertaining to the Privacy of Individuals and 
Systems of Records Maintained by the Commission
Sec.
200.301 Purpose and scope.
200.302 Definitions.
200.303 Procedures for making inquiries and requests for access.
200.304 Responses to inquiries and requests for access.
200.305 Requests for amendment or correction of records.
200.306 Review of requests for amendment or correction.
200.307 Requests for an accounting of record disclosures.
200.308 Administrative appeals.
200.309 Fees.
200.310 Specific exemptions.
200.311 Inspector General exemptions.
200.312 [Reserved]

Subpart H--Regulations Pertaining to the Privacy of Individuals and 
Systems of Records Maintained by the Commission


Sec.  200.301  Purpose and scope.

    (a) This subpart contains the rules of the Securities and Exchange 
Commission implementing the Privacy Act of 1974, as amended (Pub. L. 
93-579, 5 U.S.C. 552a). These rules are applicable to all records in 
systems of records maintained by the Commission. They set forth the 
procedures by which individuals may make an inquiry regarding or 
request access to records about themselves, request an amendment or 
correction of those records, and request an accounting of disclosures 
of those records by the Commission.
    (b) This subpart also lists the Commission systems of records that 
are exempt from some of the provisions of the Privacy Act of 1974. 
These exemptions are authorized under the Privacy Act, 5 U.S.C. 552a(j) 
and (k).


Sec.  200.302  Definitions.

    In addition to the definitions contained in 5 U.S.C. 552a(a), the 
following definitions apply in this subpart:
    Commission means the Securities and Exchange Commission.
    Inquiry means a request described in Privacy Act section (f)(1).
    Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 
552a).
    Request for access to a record means a request made under Privacy 
Act section (d)(1).
    Request for amendment or correction of a record means a request 
made under Privacy Act section (d)(2).
    Request for an accounting means a request made under Privacy Act 
section (c)(3).
    Requester means an individual who makes an inquiry, a request for 
access, a request for amendment or correction, or a request for an 
accounting.


Sec.  200.303  Procedures for making inquiries and requests for access.

    Requesters seeking to know if a specific system of records 
maintained by the Commission contains a record pertaining to them may 
submit an inquiry to the Commission. Requesters may also request access 
to records pertaining to them in a system of records maintained by the 
Commission.
    (a) How to make an inquiry or request for access. An inquiry or 
request for access must be in writing and may be submitted by email 
([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit an inquiry or request for access by mail to the Securities and 
Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Inquiries and requests for access that are submitted 
by mail should include the words ``PRIVACY ACT REQUEST'' in capital 
letters at the top of the letter and on the face of the envelope.
    (b) Information to be included in an inquiry or request for access. 
Each inquiry or request for access must include information that will 
assist the Commission in identifying those records the requester is 
seeking information about or access to. The following information, as 
relevant, should be submitted with the request: name of the individual 
whose record is sought; identifying data that will help locate the 
record (e.g., maiden name and period or place of employment); and the 
requester's name, address, telephone number, and email address. Where 
practicable, the requester should identify the system of records that 
is the subject of the inquiry or request for access by reference to the 
Commission's systems of records notices, which are published in the 
Federal Register. The Commission's systems of records notices can also 
be found on the Commission's website at https://www.sec.gov/oit/system-records-notices. If additional information is required before a request 
can be processed, the requester will be so advised.
    (c) Verification of identity. A requester making an inquiry or 
requesting access to a record must verify his or her identity before 
information is given or access is granted unless the information is 
required to be disclosed under the Freedom of Information Act (FOIA), 5 
U.S.C. 552.
    (1) In-person verification. A requester may appear at any of the 
Commission offices, which are listed on the Commission's website at 
https://www.sec.gov/divisions.shtml, and furnish documentation to 
establish his or her identity. Such documentation might include a valid 
driver's license, passport, birth certificate, employee or

[[Page 65812]]

military identification card, or Medicare card. Sufficiency of the 
documentation in verifying identity will be determined by the 
Commission staff member reviewing such documentation.
    (2) Not in-person verification. A requester who does not appear in 
person must verify his or her identity using one of the following 
methods:
    (i) A requester may use electronic identity proofing and 
authentication processes as made available through the Commission's 
website; or
    (ii) A requester may submit a copy of documentation to establish 
the requester's identity (examples of such documentation are noted in 
paragraph (c)(1) of this section).
    (3) Submission of signed statement. For all verification methods, a 
requester must also submit a statement attesting to the requester's 
identity and a statement that the requester understands that a knowing 
and willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense subject to a 
$5,000 fine. Sample statements and the requirements for completing them 
are available through the Commission's website.
    (4) Additional procedures for verifying identity. When it appears 
appropriate, the Commission's Office of FOIA Services may make such 
other arrangements for the verification of identity as are reasonable 
under the circumstances and appear to be effective to prevent 
unauthorized disclosure of, or access to, individual records.


Sec.  200.304  Responses to inquiries and requests for access.

    (a) Initial review. Inquiries and requests for access will be 
referred to the Commission's Office of FOIA Services which will make 
the initial determination as to whether the inquiry or request for 
access will be granted.
    (b) Grant of inquiry or request for access. If it is determined 
that an inquiry or request for access will be granted, the requester 
will be advised in writing. When a request for access is granted, in 
full or in part, a requester may elect to receive a copy of the 
requested record electronically, by mail, or in person, and the Office 
of FOIA Services will comply with that election to the extent 
practicable.
    (c) Denial of an inquiry or request for access. If it is determined 
that no response will be given to an inquiry or that a request for 
access will not be granted, the requester will be notified of that fact 
in writing and given the reasons for the denial. The requester also 
will be advised of his or her right to seek review by the Office of the 
General Counsel of the initial decision in accordance with the 
procedures set forth in Sec.  200.308.
    (d) Time for acting on inquiries and requests for access--(1) 
Responses to inquiries. The Office of FOIA Services will endeavor to 
inform a requester making an inquiry as to whether the named system of 
records contains a record pertaining to him or her within 10 days 
(excluding Saturdays, Sundays, and Federal holidays) of receipt of such 
a request. Whenever a response to an inquiry cannot be made within the 
10 days, the Office of FOIA Services will inform the requester of the 
reasons for the delay and the date by which a response may be 
anticipated.
    (2) Acknowledgement of and responses to requests for access. (i) 
Except where the requester appears in person, the Office of FOIA 
Services will endeavor to acknowledge, in writing, receipt of a request 
for access within 10 days (excluding Saturdays, Sundays, and Federal 
holidays) of receipt of such a request.
    (ii) The Office of FOIA Services will endeavor to respond to a 
request for access to a record pertaining to a requester within 30 days 
(excluding Saturdays, Sundays, and Federal holidays) after the receipt 
of the request. If, for good cause shown, a longer period of time is 
required, the Office of FOIA Services will inform the requester in 
writing of the reasons for the delay, and indicate when access is 
expected to be granted or denied.
    (3) Appearance in person. When a requester appears in person at the 
Commission to make a request for access and the requester provides the 
required information and verification of identity, the Office of FOIA 
Services' staff, if practicable, will indicate whether it is likely 
that the requester will be given access to the records and, if so, when 
and under what circumstances such access will be given.
    (e) Exclusion for certain records. Nothing contained in these rules 
allows a requester to obtain access to any records or information 
compiled in reasonable anticipation of a civil action or proceeding.


Sec.  200.305  Requests for amendment or correction of records.

    (a) How to a make request for amendment or correction. A written 
request for amendment or correction of records may be submitted by 
email ([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit a request for amendment or correction by mail to the Securities 
and Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Requests that are submitted by mail should include 
the words ``PRIVACY ACT REQUEST'' in capital letters at the top of the 
letter and on the face of the envelope.
    (1) Information to be included in requests for amendment or 
correction. Each request for amendment or correction must reasonably 
describe the record sought to be amended or corrected. Such description 
should include, for example, relevant names, dates, and subject matter 
to permit the record to be located among the records maintained by the 
Commission. The requester will be advised promptly if the record cannot 
be located on the basis of the description given and if further 
identifying information is necessary before the request can be 
processed. Verification of the requester's identity as set forth in 
Sec.  200.303(c) will also be required before an amendment or 
correction is undertaken.
    (2) Basis for amendment or correction. A requester seeking an 
amendment or correction to a record must specify the substance of the 
amendment or correction and set forth facts and provide such materials 
that would support the contention that the record as maintained by the 
Commission is not accurate, timely, or complete or, where a request 
seeks deletion of information, that the record is not necessary and 
relevant to accomplish a statutory purpose of the Commission as 
authorized by law or by Executive Order of the President.
    (b) Acknowledgement of requests for amendment or correction. 
Receipt of a request for amendment or correction will be acknowledged 
in writing within 10 days (excluding Saturdays, Sundays, and Federal 
holidays) after such request has been received. When a request for 
amendment or correction is made in person, the requester will be given 
a written acknowledgement when the request is presented. The 
acknowledgement will describe the request received and indicate when it 
is anticipated that action will be taken on the request.


Sec.  200.306  Review of requests for amendment or correction.

    (a) Initial review. Requests for amendment or correction to records 
pertaining to that individual will be referred to the Commission's 
Office of FOIA Services for an initial determination.

[[Page 65813]]

    (b) Time for acting on requests. Initial review of a request for 
amendment or correction will be completed promptly and the Office of 
FOIA Services will endeavor to respond to a request within 30 days 
(excluding Saturdays, Sundays, and Federal holidays) from the date the 
request was received, unless circumstances preclude completion of 
review within that time. If the anticipated completion date indicated 
in the acknowledgement cannot be met, the requester will be advised in 
writing of the delay and the reasons for the delay, and also advised 
when action is expected to be completed.
    (c) Grant of requests for amendment or correction. If a request for 
amendment or correction is granted in whole or in part, the Office of 
FOIA Services will:
    (1) Advise the requester in writing of the extent to which it has 
been granted;
    (2) Amend or correct the record accordingly; and
    (3) Where an accounting of disclosures of the record has been kept 
pursuant to 5 U.S.C. 552a(c), advise all previous recipients of the 
record of the fact that the record has been amended or corrected and 
the substance of the amendment or correction.
    (d) Denial of requests for amendment or correction. If the request 
for amendment or correction is denied in whole or in part, the Office 
of FOIA Services will:
    (1) Promptly advise the requester in writing of the extent to which 
the request has been denied;
    (2) State the reasons for the denial of the request;
    (3) Describe the procedures to appeal the denial of the request for 
amendment or correction, including the name and address of the person 
to whom the appeal is to be addressed; and
    (4) Inform the requester that the Office of FOIA Services will 
provide information and assistance to the individual in perfecting an 
appeal of the initial decision.


Sec.  200.307  Requests for an accounting of record disclosures.

    (a) How made and addressed. Except where accountings of disclosures 
are not required to be kept or provided (as stated in paragraph (e) of 
this section), requesters may ask the Commission to provide an 
accounting of a disclosure of a record about the requester that the 
Commission has made to another person, organization, or agency. The 
request for an accounting should identify each particular record in 
question and must be made in writing. The request may be submitted by 
email ([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit a request for an accounting by mail to the Securities and 
Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Requests for accounting that are submitted by mail 
should include the words ``PRIVACY ACT REQUEST'' in capital letters at 
the top of the letter and on the face of the envelope.
    (b) Verification of identity. Verification of the requester's 
identity as set forth in section 202.303(c) will be required before an 
accounting is given.
    (c) Acknowledgement of requests for an accounting of record 
disclosures. The Office of FOIA Services will endeavor to acknowledge, 
in writing, receipt of a request for an accounting of record 
disclosures within 10 days of receipt of such a request (excluding 
Saturdays, Sundays, and Federal holidays). When a request for an 
accounting of record disclosures is made in person, the requester will 
be given a written acknowledgement when the request is presented. The 
acknowledgement will describe the request received and indicate when it 
is anticipated that action will be taken on the request.
    (d) Time for acting on requests. The Office of FOIA Services will 
endeavor to respond to a request for an accounting of record 
disclosures within 30 days (excluding Saturdays, Sundays, and Federal 
holidays) from the date the request was received, unless the requester 
is notified in writing within the 30-day period that, for good cause 
shown, a longer period of time is required. In such cases, the 
requester will be informed in writing of the reasons for the delay and 
an indication will be given as to when it is anticipated that an 
accounting may be granted or denied.
    (e) Grant of request of accounting. If it is determined that a 
request for an accounting will be granted, the requester will be 
advised in writing. When a request for access is granted, in full or in 
part, the information will be provided electronically, by mail, or in 
person at the requester's election.
    (f) Denial of a request for accounting. If it is determined that 
the request will not be granted, the requester will be notified of that 
fact in writing and given the reasons for the denial. The requester 
also will be advised of his or her right to seek review by the Office 
of the General Counsel of the initial decision in accordance with the 
procedures set forth in Sec.  200.308.
    (g) Where accountings of record disclosures are not required. The 
Commission is not required to provide accountings of disclosures to 
requesters where they relate to:
    (1) Disclosures made to officers and employees within the 
Commission and disclosures made under the FOIA, 5 U.S.C. 552;
    (2) Disclosures made to law enforcement agencies for authorized law 
enforcement activities in response to written requests from those law 
enforcement agencies specifying the law enforcement activities for 
which disclosures are sought; or
    (3) Disclosures made from law enforcement systems of records that 
have been exempted from accounting requirements.


Sec.  200.308  Administrative appeals.

    (a) Administrative review. A requester who has been notified 
pursuant to Sec.  200.304(c), Sec.  200.306(d), or Sec.  200.307(d) 
that his or her inquiry or request has been denied in whole or in part, 
or who has received no response to a request for access or to amend 
within 30 days (excluding Saturdays, Sundays, and Federal holidays) 
after his or her request was received by the Office of the FOIA 
Services, may appeal to the Office of the General Counsel the adverse 
determination.
    (1) Appeals must be received within 90 calendar days of the date of 
the written denial of an inquiry or request and must be received no 
later than 11:59 p.m., eastern time, on the 90th day.
    (2) The appeal should be in writing and should provide the assigned 
request number, a copy of the original request, and the adverse 
determination. The appeal should also explain why the requester 
contends any adverse determination was in error. The requester may 
state such facts and cite such legal or other authorities as the 
requester may consider appropriate in support of the appeal. If only a 
portion of the adverse determination is appealed, the requester should 
specify which part is being appealed.
    (3) The appeal may be submitted by email ([email protected]) or online 
at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit an appeal by 
mail to the Securities and Exchange Commission, Office of FOIA 
Services, 100 F Street NE, Washington, DC 20549 or other mailing 
address or facsimile number published on the Commission's website at 
https://www.sec.gov/oso/help/foia-contact.html.

[[Page 65814]]

    (4) The Office of the General Counsel will endeavor to make a 
determination with respect to an appeal within 30 days after the 
receipt of such appeal (excluding Saturdays, Sundays, and Federal 
holidays) unless, for good cause shown, the Office of the General 
Counsel extends that period. If such an extension is made, the 
individual who is appealing will be advised in writing of the 
extension, the reasons therefor, and the anticipated date when the 
appeal will be decided.
    (5) If the Office of the General Counsel concludes that an inquiry 
or request for access, amendment or correction, or an accounting should 
be granted, it will issue a decision granting the inquiry or request 
and instructing the Office of FOIA Services to comply with Sec.  
200.304(b), Sec.  200.306(c), or Sec.  200.307(c), as applicable.
    (6) If the Office of the General Counsel affirms the initial 
decision denying an inquiry or request for access or an accounting, it 
will issue a decision denying the inquiry or request and advising the 
requester of:
    (i) The reasons for the denial; and
    (ii) The requester's right to obtain judicial review of the 
decision pursuant to 5 U.S.C. 552a(g)(1)(B) or (g)(1)(D), as 
applicable.
    (7) If the Office of the General Counsel determines that the 
decision of the Office of FOIA Services denying a request for amendment 
or correction should be upheld, it will issue a decision denying the 
request and the individual will be advised of:
    (i) The decision refusing to amend or correct the record and the 
reasons therefor;
    (ii) The requester's right to file a concise statement setting 
forth his or her disagreement with the decision not to amend or correct 
the record;
    (iii) The procedures for filing such a statement of disagreement;
    (iv) The fact that any such statement of disagreement will be made 
available to anyone to whom the record is disclosed, together with, if 
the Office of the General Counsel deems it appropriate, a brief 
statement setting forth the Office of the General Counsel's reasons for 
refusing to amend or correct;
    (v) The fact that prior recipients of the record in issue will be 
provided with the statement of disagreement and the Office of the 
General Counsel's statement, if any, to the extent that an accounting 
of such disclosures has been maintained pursuant to 5 U.S.C. 552a(c); 
and
    (vi) The requester's right to seek judicial review of the Office of 
the General Counsel's refusal to amend or correct, pursuant to 5 U.S.C. 
552a(g)(1)(A).
    (8) In appropriate cases the Office of the General Counsel may, in 
its sole discretion, refer matters requiring administrative review of 
initial decisions to the Commission for determination and the issuance, 
where indicated, of decisions.
    (b) Statements of disagreement. As noted in paragraph (a)(6)(ii) of 
this section, a requester may file a statement setting forth his or her 
disagreement with the Office of the General Counsel's denial of the 
request for amendment or correction.
    (1) Such statement of disagreement may be submitted by email 
([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester who is not able to 
submit a statement of disagreement by email or online may submit a 
request by mail to the Securities and Exchange Commission, Office of 
FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing 
address or facsimile number published on the Commission's website at 
https://www.sec.gov/oso/help/foia-contact.html. A requester must submit 
a statement of disagreement within 30 days after receipt of the Office 
of the General Counsel's decision denying the request for amendment or 
correction. For good cause shown this period can be extended for a 
reasonable time.
    (2) Statements of disagreement should be concise and must clearly 
identify each part of any record that is disputed and state the basis 
for the requester's disagreement. The Office of the General Counsel 
will return unduly lengthy or irrelevant materials to the individual 
for appropriate revisions before they become a permanent part of the 
requester's record. Statements of disagreement will be placed in the 
system of records in which the disputed record is maintained. The 
disputed record will be marked to indicate that a statement of 
disagreement has been filed and where in the system of records it may 
be found.
    (3) If a requester has filed a statement of disagreement, the 
Office of FOIA Services will append a copy of it to the disputed record 
whenever the record is disclosed and may also append a concise 
statement of its reason(s) for denying the request for amendment or 
correction.
    (4) In appropriate cases, the Office of the General Counsel may, in 
its sole discretion, refer matters concerning statements of 
disagreement to the Commission for disposition.


Sec.  200.309  Fees.

    (a) The only fee to be charged to a requester under this part is 
for the duplication of records to be disclosed to the requester. No fee 
will be charged or collected for: search, retrieval, or review of 
records; or duplication at the initiative of the Commission without a 
request from the requester. Fees for duplication will be charged at 
rates set forth on the FOIA web page of the Commission's website at 
www.sec.gov. Fees for duplication include any costs incurred in making 
records available on electronic storage devices.
    (b) With regard to requests for amendment or correction, the 
Commission will provide the requester one copy of each record corrected 
or amended pursuant to his or her request without charge as evidence of 
the correction or amendment.
    (c) Whenever the Office of FOIA Services determines that good cause 
exists to grant a request for reduction or waiver of fees for 
duplication costs, it may reduce or waive any such fees.


Sec.  200.310  Specific exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the following 
systems of records maintained by the Commission are exempt from 5 
U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), 
and (f), and Sec. Sec.  200.303, 200.305, and 200.307, insofar as they 
contain investigatory materials compiled for law enforcement purposes:
    (1) Enforcement Files;
    (2) Office of the General Counsel Working Files;
    (3) Office of the Chief Accountant Working Files;
    (4) Correspondence Response System;
    (5) Tips, Complaints, and Referrals (TCR) Records; and
    (6) SEC Security in the Workplace Incident Records.
    (b) Pursuant to 5 U.S.C. 552a(k)(5), the systems of records 
containing the Commission's Disciplinary and Adverse Actions, Employee 
Conduct, and Labor Relations Files are exempt from 5 U.S.C. 552a(c)(3), 
(d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f), and Sec. Sec.  
200.303 through 200.309, insofar as they contain investigatory material 
compiled to determine an individual's suitability, eligibility, and 
qualifications for Federal civilian employment or access to classified 
information, but only to the extent that the disclosure of such 
material would reveal the identity of a source who furnished 
information to the Government under an express promise that the 
identity of the source would be held in confidence, or, prior to 
September 27, 1975, under an implied

[[Page 65815]]

promise that the identity of the source would be held in confidence.


Sec.  200.311  Inspector General exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(j)(2), the system of 
records maintained by the Office of Inspector General of the Commission 
that contains investigative files is exempt from the provisions of 5 
U.S.C. 552a, except sections (b), (c)(1) and (2), (e)(4)(A) through 
(F), (e)(6), (e)(7), (e)(9), (e)(10), and (e)(11), and (i), and 
Sec. Sec.  200.303 through 200.309, insofar as the system contains 
information pertaining to criminal law enforcement investigations.
    (b) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of 
records maintained by the Office of Inspector General of the Commission 
that contains investigative files is exempt from 5 U.S.C. 552a(c)(3), 
(d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) and Sec. Sec.  
200.303 through 200.309, insofar as it contains investigatory materials 
compiled for law enforcement purposes.


Sec.  200.312  [Reserved]

    By the Commission.

    Dated: September 20, 2023.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-20690 Filed 9-25-23; 8:45 am]
BILLING CODE 8011-01-P