Download  

Effective Date: 12/9/85

Series: Information Resources Management

Part 383: Public Access to Records

Chapter 6: Privacy Act Notification, Access and Amendment Procedures

Originating Office: Office of Information Resources Management

6.1 Purpose. This chapter prescribes general procedures regarding an individual=s rights to know about, inspect and request amendment of records relating to him/her which are maintained in a system of records subject to the Privacy Act. Unless records are exempted as explained below, the Act gives individuals the right to know of the existence of records containing information about themselves (notification); to inspect the records to ensure their relevance, necessity, and accuracy (access); and to request changes in the information in the records when the information is irrelevant, unnecessary, or inaccurate (amendment).

6.2 Form of Request. To claim the rights afforded by the Privacy Act an individual should be advised of, and must follow the formal procedures established by the Department=s regulations. 43 CFR 2.60 (notification), 2.63 (access), and 2.71 (amendment) and the ARecords Access Procedure@ section of the notices describing systems of records instruct individuals how to submit their inquiries if they wish to invoke the Privacy Act. The system notices also instruct individuals as to where their written requests are to be addressed. See 383 DM 6.11 for guidance on handling combined FOIA and Privacy Act requests received from individuals for access to their records.

6.3 Informal Requests. Requests for notification, access, or amendment that do not conform to the requirements of the Departmental regulations, such as an oral request, may be honored by the bureau or office responsible for the system of records as a matter of administrative discretion. It is not necessary to require individuals to invoke the Privacy Act.

6.4 Exempted Records. The Privacy Act recognizes that some records on individuals should not be made available to the individuals. These exemptions from the notification and access provisions of the Act primarily involve records gathered in the course of criminal investigations, during the recruitment of new employees, or involving tests which could be compromised if shown to individuals. These exemptions apply only if adopted through rulemaking by the Secretary. The systems of records which have been exempted in whole or part from notification, access and amendment are listed in 43 CFR 2.79. In addition, records on individuals compiled in reasonable anticipation of a civil action or proceeding are not required to be made available to the individual.

A. Responding to Requests Involving Exempted Systems. The fact that a system of records has been exempted under some provisions of the Act does not mean that systems managers may not inform individuals that records on the individual exist or make the records available to the individual for inspection. Such decisions, however, cannot be capricious or arbitrary. Systems managers should develop, through experience, criteria that will permit, to the greatest extent practical, access by individuals to their records which are included in an exempted system of records.

B. Criteria for Denying Notification or Access Under an Exemption. Systems managers responsible for exempted systems of records shall be prepared to report on any criteria which has been developed as guidelines in denying a notification or access request, though these criteria need not be expressed in the denial to individuals. The exemption status is not to be viewed as an automatic command to deny but should be applied according to statable criteria.

C. Statutory Exemption. In addition to the provisions authorizing the Secretary to exempt records through rulemaking, the Act does contain one statutory exemption. This exemption provides that the Act does not allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

6.5 Notification, Access and Amendment Guidelines. Guidelines suitable to the system of records shall be developed which instruct employees and contractors administering and maintaining the system on handling notification, access and amendment requests. These guidelines shall clearly state the rights of the named individuals to know about, see and request amendment except when the system of records has been exempted under the rulemaking provisions of the Act. The guidelines shall also clearly inform employees about handling situations that could lead to denying any request made by individuals with respect to their records.

6.6 Amendment of Records.

A. Changing the Records. When a record is changed in response to a request for amendment, the prior information shall be completely expunged from the file unless there is good reason to retain the prior information and retention is not inconsistent with the request for amendment. Such retention may be appropriate when the amendment updates a file rather than removes objectionable material and the prior information meets the requirements of the Act that information be correct, relevant and necessary.

B. Disclosure Notifications. The Privacy Act requires that all persons or agencies to whom incorrect or disputed data was disclosed, and for whom a disclosure accounting was made, be notified of the correct data or that it is in dispute. This notification requirement applies whether the change is made under the Privacy Act amendment provisions or in response to an informal request for amendment.

C. Filing Amendment Requests. Records accumulated in the course of an individual=s exercise of rights under the Privacy Act and information on this exercise of rights shall be retained, unless disposed of, in a way that will not taint the amended records or work against the interests of the individual.

6.7 Time Limits. The Privacy Act requires that requests for amendment be responded to or acknowledged within ten (10) working days of the request. The Department=s regulations specify that the request shall be acted on within 30 working days, unless extended 30 days by the system manager in accordance with the regulations (43 CFR 2.73). To the extent possible, the 10-day acknowledgment and 30-day action time limits should also be observed for inquiries about the existence of records or requests to inspect the records.

6.8 Authority to Deny. The Departmental regulations, 43 CFR 2.61(b), 2.64(b) and 2.72(b), require that denials shall be made by the system manager responsible for the system of records.

A. In the bureaus, the denial shall be concurred in by the Bureau Privacy Act Officer. However, the head of the bureau may, in writing, require that the decision be made by the Bureau Privacy Act Officer and/or that concurrence of the bureau head in the decision be obtained. Each bureau and system manager shall ensure that employees handling records covered by the Privacy Act are aware of this limitation.

B. In th Office of the Secretary and other Departmental offices not a part of a bureau, denials of access or amendment requests shall be made by the pertinent system manager, with the concurrence of the head of the office, or the office=s Privacy Act Officer/Coordinator if formally designated and authorized as prescribed in 43 CFR 2.61(b), 2.64(b), and 2.72(b).

6.9 General Guidelines Procedures. Appendix 1 to this chapter contains a set of general guidelines dealing with access situations for employees working with a system of records. These optional guidelines are to be supplemented with guidelines specific to each system of records, as discussed in 383 DM 4.4D.

6.10 Recordkeeping Requirements. System managers are responsible for maintaining records on formal access and amendment requests received during each calendar year. Formal requests are defined as written requests in which the individual cites or invokes the provisions of the Privacy Act. Data on the number of formal access or amendment requests received, number wholly or partially granted, number totally denied, and the number for which no records were found must be maintained for each system of records. The data is required to be included in the bureau=s annual report on the implementation of the Privacy Act as described in 383 DM 10.

6.11 Combined FOIA/Privacy Act Requests. From time to time, individuals may seek access to their records by citing both the FOIA and the Privacy Act. In such cases, the request must be handled so that the individuals are granted the greatest access to their records that either Act provides. The Department should, in applying any access restrictions, rely on the weakest exemption available, generally an FOIA exemption. If a written request from an individual for access to his/her records cites neither the FOIA nor the Privacy Act, and it is administratively decided to treat the request under either Act, then the request should be handled as a formal combined FOIA/Privacy Act request.

A. In processing such combined requests, the Department=s fee provisions applicable to Privacy Act requests (43 CFR 2.64(d)) should be followed (i.e., the individual may only be charged for reproduction of the records and not for search time) to the extent that the requested records are part of a system of records.

B. The time limits applicable to FOIA requests (43 CFR 2.16) should be followed in processing such dual requests.

----------------------------------------------------------------------------------------------------------------------

383 DM 6

Appendix 1

GENERAL INFORMATION AND GUIDELINES

FOR EMPLOYEES PROCESSING REQUESTS FOR

NOTIFICATION, ACCESS OR AMENDMENT OF

These instructions are for employees processing formal requests for notification, access or amendment involving systems of records subject to the Privacy Act of 1974. The Act grants individuals, subject to certain exceptions, the right to know whether information is being kept on them, to see the information, and to petition for changes in the information. These rights apply to systems of records accessed by an individual=s name, or by an identifying number, symbol or other identifier. The bureaus and offices of the Department have identified the record systems subject to the Act.

Certain personnel records prescribed by Federal Personnel Manual (FPM) Chapter 293 and FPM Supplement 293-31 are administered under regulations issued by the Office of Personnel Management (OPM). FPM chapters 294 and 297 provide OPM guidance on the availability of official personnel information, and the management of personnel records systems. These guidelines do not apply to OPM record systems.

To claim the rights afforded by the Privacy Act, an individual must follow the formal procedures established by the Department=s regulations (43 CFR Part 2, Subpart D). Bureaus, however, may honor requests for notification, access or amendment that do not meet the requirements of the regulations (i.e., an oral or telephone request). The system manager (the official responsible for the records you are handling) may issue instructions providing for responding to informal requests. This set of guidelines, though, assumes a formal request by the individual under the provisions of the Privacy Act.

In carrying out the instructions in these guidelines, keep in mind that individuals making requests under the Privacy Act are exercising rights granted by the Act. Responses, therefore, should be appropriate to these rights. Courtesy is a natural requirement. Equally important is the ease with which individuals are able to exercise these rights. Departmental policy is to facilitate exercise of Privacy Act rights. Inquiries from individuals shall be responded to as quickly and with as few procedural difficulties as possible.

The Privacy Act recognizes that individuals must be aware that certain systems of records exist before they can determine whether the system contains data about them. Therefore, the Act requires publication of a notice describing each system of records containing information about individuals which is accessible by an individual=s name, identifying number, symbol, or other identifier. A copy of the published notice for the records system with which you are working is available from the system manager or your Bureau Privacy Act Officer.

The published system notice both describes the system and explains how individuals can determine whether the system contains personal information pertaining to themselves. Generally, an individual needs only to provide his or her name for such a check. In some cases, however, other information is needed for locating records (e.g., social security number). In these cases the system notice will specify the additional information necessary for access.

Departmental regulations (43 CFR 2.60) require that requests for notification invoking the Privacy Act be in writing. These requests should be marked APrivacy Act Inquiry@ to ensure expeditious handling, should identify the system of records to which the inquiry pertains, and should comply with other requirements set forth in the system notice. Requests may be mailed or delivered personally to the location given in the system notice.

Upon receiving the request, you must determine if the request meets the above-noted requirements. If it does, then carry out the following steps:

A. Determine whether records on that individual are maintained in the files.

B. Determine if the records contain information gathered in reasonable anticipation of a civil action or proceeding, or if the system of records is exempt from notification requirements under a rule adopted by the Secretary. You should know whether an exemption has been claimed for the records you are working with. If you do not know, ask the system manager, read the system notice which has been published for the records system, or refer to 43 CFR 2.79. If either of the foregoing conditions apply, notify the system manager through the channels established for your system of records. The system manager is responsible for promptly notifying the individual whether he/she is entitled to know if any records exist. UNDER NO CIRCUMSTANCES SHOULD AN EMPLOYEE CONVEY TO THE INQUIRING INDIVIDUAL THAT THE RECORDS EXIST OR THAT THERE IS A RESTRICTION ON NOTIFICATION.

C. If you find records that are not subject to the exemptions noted in paragraph B above, determine the types of records and prepare a response to the requestor that identifies the records being kept so the individual may choose which ones he or she wishes to inspect. (This does not mean that the individual has a right to inspect the records since access to them may be restricted for other reasons. However, the requester has a right to know that they exist.)

D. Advise the individual if no records are found.

This step may or may not have been preceded by the procedures described above. Often an individual knows that records exist on him or her in the system, and may directly request access to them. Like an inquiry concerning the existence of records, a request for access must be in writing. (Departmental regulations, 43 CFR 2.63). The request should be marked APrivacy Act Request for Access@ and also should contain the information required by the above referenced regulation and the system notice.

Upon receiving a Privacy Act request for access you should take the following steps:

A. Determine the individual=s identify. Usually the signature on the letter or an identification card will suffice. Your system manager or the system notice will inform you if additional identification is required.

B. Determine whether the requested records are open for inspection by the individual. The Privacy Act requires that records be available for inspection unless compiled in reasonable anticipation of a civil action or proceeding or exempted by a rule adopted by the Secretary. Your system manager is responsible for giving you guidance on how to handle records that are exempted from the access provisions of the Act. You should know whether an exemption has been claimed for the records you are working with. If you do not know, ask the system manager, read the system notice which has been published for the records system, or refer to 43 CFR 2.79.

C. If the records are open for inspection by the individual, retrieve the records and make them available to the individual in a suitable space.

Note: The Privacy Act gives the individual the right to see his or her records unless they are exempted. An access request must be acted on promptly. The agency may not plead cost or workload burden as a reason for not making the records available or for taking a long time to respond. The agency also may not charge the requester for any costs related to making the information and records available unless copies have been requested. In those cases only copying costs may be charged.

(1) If the individual is accompanied by a third party who also is to see the records, you should obtain a written, signed statement from the individual whose records are being examined stating that the other party may be present during the inspection.

(2) If the request to inspect the records specifies that copies of the record are to be sent to the individual, the request should also state the amount of money the individual is willing to pay for the copies.

(a) Your system manager should have provided you a copy of the Department=s schedule of charges for providing copies of the records (43 CFR 2, Appendix A). If this schedule is not available, obtain it from the system manager. Determine the number of copies required and the amount to be charged. If the charge will equal or be less than the amount indicated in the letter, make the requested copies of the record and send them to the requester along with a bill for collection (DI 1040).

(b) If the cost will exceed the stipulated amount, advise the individual of the full anticipated cost and costs of portions (if appropriate) of the record. The requester must agree in writing to pay fees as high as are anticipated before processing of the request is completed.

(c) Your system manager may specify that medical records in the system, including psychological records, are not to be shown to the individual. In such cases, copies of the medical records may be sent to a physician of the individual=s choice upon the receipt of a letter from the physician requesting the file on behalf of the individual. That physician will then decide whether to reveal the contents of the medical record to the individual. There is no charge for such copies, even if the physician retains them.

The Privacy Act requires, among other things, that agencies collect, maintain, use or disseminate any records of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose. It also requires that the information be current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information. If, on inspection of his or her records, the individual believes that the records contain information inconsistent with the above requirements, he or she may request that the information be corrected or removed from the files.

The system manager is responsible for determining whether the information in the files is relevant, necessary, and accurate. Since these three conditions are not always clear-cut, there is a strong possibility that individuals will disagree with what is in their records and want it removed or changed under one of the above three criteria. The Privacy Act requires that requests for amendment be responded to or acknowledged within 10 days. Thus, prompt action is needed.

The Departmental regulations (43 CFR 2.71) require that a petition for amendment be submitted in writing, and that the request be submitted to the system manager. Thus, it is likely that your involvement in amending records will be through inquiry to, and instruction from, the system manager.

In some cases, individuals personally inspecting their records may see routine information, such as an address or telephone number, that is incorrect. IF YOUR SYSTEM MANAGER HAS PROVIDED GUIDELINES AUTHORIZING SUCH CHANGES IN THE RECORDS, YOU MAY MAKE THEM IN ACCORDANCE WITH THE GUIDELINES.

*

12/9/85 #3452

Replaces 12/9/85 #2659