Download  
Department of the Interior

Department of the Interior

Departmental Manual

 

 

Effective Date: 8/26/86

Series: Information Resources Management

Part 383: Public Access to Records

Chapter 3: Privacy Act - Bureau Responsibilities

 

Originating Office: Office of Information Resources Management

 

 

This chapter has been given a new release number.*  No text changes were made.

 

383 DM 3

 

3.1     Purpose.  This chapter defines the responsibilities of the bureaus (as defined in 383 DM 1.4E) in implementing requirements of the Privacy Act of 1974, as amended, (5 U.S.C. 552a), related Departmental regulations (43 CFR Part 2, Subpart D), and these directives.

 

3.2     Identification of Systems.  Each bureau is responsible for ensuring that all bureau systems of records subject to the Act are identified and maintained in accordance with the Act.

 

3.3     System Notices.   Each bureau is responsible for establishing and maintaining system notices for all systems of records under its jurisdiction.  System notice requirements are described in 383 DM 5.

 

3.4     Maintenance of Records.  Bureaus are responsible for developing and implementing procedures for maintaining personal information in their systems of records subject to the provisions of the Act in such a way to ensure full compliance with the Act and with related regulations and directives issued by the Department.  Standards for the maintenance of records subject to the Act are described in the Departmental regulations, 43 CFR 2.48, and involve the content of the records, data collection practices, and the use, safeguarding, and disposal of personal information in the records.

 

3.5     Bureau Privacy Act Officers.  Each bureau head is required to designate a Bureau Privacy Act Officer and to report the name, title, business address, and telephone number of the designee to the Departmental Privacy Act Officer.

 

3.6     System Managers.   Each bureau head is responsible for designating for each system of records a responsible official to serve as system manager, whose title and business address are required by the Act to be included in the system notice.  The bureau is also responsible for designating a regular bureau employee to be the system manager for a system of records developed or maintained by a contractor, as explained in the Department=s regulations, 43 CFR 2.53.

 

3.7     Integrity of Records.   Each bureau is responsible for ensuring that specific procedures are developed for maintaining each of its systems of records with appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records, and to protect against the possibility of substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.  These procedures must be developed for both manual and computerized records, as detailed in the Department=s regulations (43 CFR 2.51) and in 383 DM 8.

 

3.8     Conduct of Employees.   Each bureau is responsible for ensuring that all employees with access to a system of records are aware of the requirements of the Act (5 U.S.C. 552a(i)(1)) and the Department=s regulations (43 CFR 2.52) concerning the handling, disclosure, and alteration of such records and the possibility of criminal penalties for improper disclosure.  See 383 DM 9 for a more detailed description of standards of conduct.

 

3.9     Disclosure of Records.   Each bureau is responsible for developing specific procedures to ensure that no record is disclosed to a third party without written authorization of the individual to whom the records pertains, unless the disclosure is in accordance with one of the general or specific exceptions listed in the Department=s guidelines and regulations (383 DM 7.2 and 43 CFR 2.56).  Bureaus are also responsible for implementing disclosure accounting procedures required by the Act.  General disclosure procedures to be followed are described in 383 DM 7.

 

3.10   Notification, Access and Amendment.  Each bureau is responsible for developing specific procedures for implementing the Department=s regulations (43 CFR 2.60-2.73) concerning requests for notification of the existence of records, requests for access to records, and petitions for amendment made under the Act.  These specific bureau procedures must conform with the procedures prescribed by the Department in 383 DM 6.

 

3.11   Instruction of Employees.  Each bureau is responsible for providing informational and training materials concerning employee responsibilities under the Act to all employees handling Privacy Act records.  Each bureau is additionally responsible for ensuring that employees working with each system are appropriately instructed concerning any special responsibilities associated with that system that are not common to all systems of the bureau.  Also, orientation materials for new employees and appointees to key positions should contain a general and summary briefing on the Privacy Act and its substantive provisions.

 

3.12   Records on Access, Amendment, and Disclosure.  Each bureau is responsible for compiling records on access, amendment, and disclosure activity within each system of records.  Such information is described in 383 DM 10 will be required to be reported to the Office of Management and Budget.  Requirements for recording access and disclosure activity are described in 383 DM 6 and 383 DM 7, respectively.

 

3.13   Periodic Program Reviews.  Paragraph 3a of Appendix I to OMB Circular A-130 requires the periodic review of certain aspects of each agency=s Privacy Act implementation program.  The reviews required and their frequency are described in Appendix 1 to this chapter.  Each bureau and office maintaining Privacy Act systems of records should appropriately plan, execute, and document results of the required reviews so that adequate information will be available for Department review and reporting to OMB.  The internal scheduling, format, and conduct of the reviews are left to the discretion of each bureau and office.

 

3.14   On-Site Inspections.  Bureau Privacy Act Officers are responsible for conducting or directing the periodic inspection of areas where records subject to the Privacy Act are maintained.  Such inspections should encompass the proper safeguarding of records; maintenance of records on disclosures, access and amendment requests; and physical safeguards, including the posting of warning notices.  The scheduling of periodic on-site inspections can be integrated with the program reviews described in 383 DM 3.13.  Information on the conduct and results of such inspections will be requested in the annual report to the Department described in 383 DM 10.

 

 

383 DM 3

Appendix 1

 

PRIVACY ACT PROGRAM REVIEWS

(Required by Paragraph 3a, Appendix E, OMB Circular A-130)

 

 

Description of Review

 

Frequency

 

Calendar Year

Scheduled

 

1.  Contracts.  Review a random sample of agency contracts that provide for the maintenance of a system of records on behalf of the agency to accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act apply (5 U.S.C. 552a(m)(1); 383 DM 4.6).

 

Biennially

 

CY 1987

CY 1989

Every 2 years  thereafter

 

2.  Recordkeeping Practices.  Review agency recordkeeping and disposal policies and practices in order to ensure compliance with the Act.  Internal policies and procedures published to implement the Privacy Act should be included in the review.

 

Annually

 

CY 1986

Every year thereafter

 

3.  Routine Use Disclosure.  Review the routine use disclosures associated with each system of records in order to ensure that the recipient=s use of such records continues to be compatible with the purpose for which the disclosing agency originally collected the information.

 

Triennially

 

CY 1986

CY 1989

Every 3 years thereafter

 

4.  Exemption of Systems of Records. Review each system of records for which the agency has promulgated exemption rules pursuant to Sections (j) or (k) of the Privacy Act in order to determine whether such exemption is still needed (43 CFR 2.79).

 

Triennially

 

CY 1988

CY 1991

Every 3 years thereafter

 

5.  Matching Programs.  Review each ongoing matching program in which the agency has participated during the year, either as a source or as a matching agency, in order to ensure that the requirements of the Act, the OMB Matching Guidelines, and the OMB Model Control System and Checklist have been met (383 DM 12).

 

Annually

 

CY 1986

Every year thereafter

 

6.  Privacy Act Training.  Review agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, with the agency=s implementing regulations, and with any special requirements that their specific jobs entail.

 

Annually

 

CY 1986

Every year thereafter

 

7.  Violations.  Review the actions of agency personnel that have resulted either in the agency being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, in order to determine the extent of the problem and to find the most effective way to prevent recurrences of the problem.

 

Annually

 

CY 1986

Every year thereafter

 

8.  Systems of Records Notices.  Review each system of records notice to ensure that it accurately describes the system.  Where minor changes are needed, ensure that an amended notice is published in the Federal Register.  This requirement is distinguished from and in addition to the requirement to report to OMB and the Congress major changes to systems of records and to publish those changes in the Federal Register (see 383 DM 5.3).

 

Annually

 

CY 1986

Every year thereafter

*

8/26/86 #3449

Replaces 8/26/86 #2703