Date: March 1, 2000
Sunset Review: March 1, 2004
SUBJECT: The Privacy Act of 1974, As Amended
1. PURPOSE. This Directive restates policy and assigns responsibilities for carrying out the requirements of the Privacy Act of 1974, as amended (Privacy Act). This Directive also authorizes the issuance of Treasury Department Publication (TD P) 25-04, "Privacy Act Handbook."
2. SCOPE. This Directive applies to all bureaus, offices and organizations in the Department of the Treasury, including the Office of the Inspector General (OIG) and the Treasury Inspector General for Tax Administration (TIGTA).
3. POLICY. It is the policy of the Department of the Treasury that all employees shall be made aware of, and comply with, the Privacy Act and that information about individuals shall be collected, maintained, used, and disseminated in accordance with the Privacy Act and Treasury regulations set forth at 31 Code of Federal Regulations (CFR) Part 1, Subpart C.
4. DEFINITIONS.
a. Individual. A citizen of the United States or an alien lawfully admitted for permanent residence.
b. Privacy Act Record. Any item, collection, or grouping of information about an individual that is maintained by Treasury, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history and that contains the name, or an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.
c. Responsible Official. The official having custody of the records requested, or a designated official, who makes initial determinations whether to grant or deny requests for notification, access to records, accounting of disclosures, and amendments of records.
d. System Manager. The official identified in the system notice as the manager of the system of records.
e. System of Records. A group of any records under the control of Treasury from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
5. RESPONSIBILITIES. System managers, program managers, personnel employees, procurement employees, attorneys/advisors, disclosure personnel shall be knowledgeable about the provisions and requirements of the Privacy Act.
a. The Assistant Secretary for Management and Chief Financial Officer is responsible for ensuring Treasury's compliance with the Privacy Act of 1974, as amended.
b. The Chief Management and Administrative Programs Officer shall approve, subject to Treasury Directive (TD) 28-01, the notices, determinations and regulations required to be published by the Privacy Act of 1974, as amended. This includes the authority to ratify, where necessary, any such notice or regulation previously issued. The authority in this paragraph may not be delegated. During the absence of the Chief Management and Administrative Programs Officer, any required notices, determinations and regulations shall be approved by the Assistant Secretary for Management and Chief Financial Officer.
c. The Departmental Disclosure Officer, Information Services Division, DO, shall:
(1) coordinate the implementation and management of the Privacy Act within Treasury;
(2) act as the principal point of contact and the Department's representative for matters related to the Privacy Act;
(3) issue, and revise as needed, Treasury regulations implementing the Privacy Act and review proposed changes to bureau disclosure regulations;
(4) assign Privacy Act requests to appropriate responsible officials for action and follow up as necessary;
(5) notify a requester when all the information needed to process a request for DO records was not provided;
(6) collect, review, consolidate, and submit the data for the President's biennial Report to Congress for transmittal to OMB; and manage and conduct other reporting requirements, as needed;
(7) coordinate, review, revise, and submit:
(a) the Privacy Act compilation of notices of Treasury's systems of records for publication in the Federal Register;
(b) notices and reports on new or altered systems of records to the Office of Management and Budget (OMB), Congress, and the Federal Register on behalf of Treasury;
(c) notices, reports, and proposed rules to OMB, Congress, and the Federal Register concerning exempt systems of records on behalf of Treasury; and
(d) notices and reports for computer matches covered under the provisions of the Computer Matching and Privacy Protection Act of 1988 to OMB, Congress, and the Federal Register on behalf of Treasury;
(8) be prepared to report the results of reviews conducted by the bureaus as specified in OMB Circular A-130, Appendix I, paragraph 3.a., to the Director, OMB, including any corrective action taken;
(9) furnish policy, technical advice, and assistance to the bureaus on publication of notices of systems of records;
(10) review all Treasury forms and data collection screens used to collect information about individuals (except forms and data collection screens developed and used by the individual bureaus), reserving the right to disapprove the use of any such forms or data collection screens not believed to be in compliance with the Privacy Act and implementing regulations and guidelines;
(11) supervise the implementation of the Privacy Act within DO; and
(12) ensure that the bureaus:
(a) carry out the provisions of this Directive, OMB Circular A-130, Appendix I, Treasury disclosure regulations found at 31 CFR Part 1, and the Privacy Act;
(b) provide guidance for employees and contractors who are involved in designing, operating, or maintaining Treasury Privacy Act systems of records; and
(c) conduct Privacy Act training of employees and contractors who are involved in maintaining Treasury Privacy Act systems of records.
(13) in partnership with the Office of the Deputy Assistant Secretary for Information Systems and Chief Information Officer, participate on government-wide task forces on computer technology concerned with establishing or affecting policies for collecting, compiling, using, maintaining and safeguarding Federal Privacy Act systems of records.
d. The Chief Management and Administrative Programs Officer and Heads of Bureaus, as it relates to their respective bureaus and offices, shall:
(1) establish internal procedures to ensure the effectiveness of Treasury's Privacy Act program and to safeguard individual privacy in the collection, compilation, maintenance, use, and dissemination of Federal records. The procedures shall be consistent with this Directive and:
(a) the Privacy Act of 1974, as amended;
(b) the Computer Matching and Privacy Protection Act of 1988;
(c) the Computer Security Act of 1987;
(d) Treasury disclosure regulations (31 CFR Part 1);
(e) Treasury's "Privacy Act Handbook" TD P 25-04
(f) OMB Circular A-130; and
(g) applicable National Archives and Records Administration and Office of Personnel Management (OPM) guidelines;
(2) submit the following, as required, to the Departmental Disclosure Officer for the review and approval of the Assistant Secretary for Management and Chief Financial Officer:
(a) accurate data for the President's Report to Congress;
(b) other reports as required by OMB Circular A-130, or as required by the Departmental Disclosure Officer.
(3) submit the following, as required, to the Departmental Disclosure Officer for the review and approval of the Chief Management and Administrative Programs Officer:
(a) a notice and report for each new or altered system of records;
(b) a proposed and final rule for any determination to exempt a system of records;
(c) a notice and report of the establishment or alteration of a matching program; and
(d) any proposed rules or amendments to existing Privacy Act regulations for review and concurrence prior to the review and concurrence procedures under TD 28-01.
(4) establish an internal review of all bureau forms and data collection screens used to collect information about individuals to ensure that the forms and screens are in compliance with the Privacy Act and implementing regulations and guidelines.
e. The Deputy Assistant Secretary for Information Systems and Chief Information Officer shall:
(1) provide assistance as needed to the Departmental Disclosure Officer (DDO) regarding any proposed or anticipated change to computer installations, communications networks, or other electronic data collecting mechanisms which may be potentially subject to the Privacy Act;
(2) assist the bureaus in the implementation of uniform and consistent policies and standards governing the acquisition, maintenance and use of computers or other electronic or telecommunications equipment in the collection, compilation, maintenance, use, or dissemination of Privacy Act records;
(3) provide security guidance to the bureaus regarding the processing, storing, transferring or receiving of information on individuals by computer, electronic or other telecommunications means or networks; and
(4) in partnership with the Departmental Disclosure Office, participate on government-wide task forces on computer technology concerned with establishing or affecting policies for collecting, compiling, using, maintaining and safeguarding Federal Privacy Act systems of records.
(5) Provides the DDO with proposed data collection screens, or other electronic data collecting mechanisms used to collect information about individuals, for Privacy Act compliance review prior to their use on the Intranet or Internet.
f. The Assistant General Counsel (General Law and Ethics) shall provide assistance as required by the Departmental Disclosure Officer in the clearance of reports, notices of systems of records, proposed rules, and other related matters to be submitted by Treasury to Congress, OMB, and other parties.
g. Systems Managers shall:
(1) ensure compliance with the Privacy Act and notify the bureau Privacy Act Officer or the Departmental Disclosure Officer when establishing, maintaining, revising, or deleting a system of records;
(2) establish administrative and physical controls for storing and safeguarding records. Subject to bureaus' internal operating procedures, controls shall be consistent with Treasury's security and recordkeeping regulations to ensure the protection of records systems from unauthorized access or disclosure, and from physical damage or destruction; and
(3) establish and implement appropriate means for the accounting of disclosures made pursuant to the Act.
h. Responsible Officials shall:
(1) ensure that Privacy Act requests are processed in accordance with Treasury's disclosure regulations;
(2) determine whether to grant or deny requests for notification, access to records, accounting of disclosures, and amendments records;
(3) notify the requester of any determination(s) made pursuant to paragraph 5.h.(2);
(4) determine all costs for processing a request and determine whether duplication fees will be charged to the requester or waived; and
(5) retrieve records retired to the Federal Records Center if they are needed to process a request.
i. Appeal Authorities shall, upon receipt of a request for a review of a refusal to amend a record, either affirm or reverse the initial determination that denies amendment of a record under the Privacy Act. Appeal authorities are those officials specified in the appendices to 31 CFR Part 1, Subpart C
6. AUTHORITIES.
a. Privacy Act of 1974, as amended, 5 U.S.C. 552a, Public Law (Pub.L.) 93-579.
b. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.
7. REFERENCES.
a. Computer Matching and Privacy Protection Act of 1988, Pub.L. 100-503.
b. Computer Security Act of 1987, Pub.L. 100-235.
c. Department of the Treasury Employee Rules of Conduct, 31 CFR Part 0.
d. OMB Circular A-130, "Management of Federal Information Resources," dated February 20, 1996.
e. OMB Circular A-108, "Privacy Act Implementation," dated July 9, 1975.
f. OPM Regulations, 5 CFR 297.
g. TD P 25-04, "Privacy Act Handbook."
h. TD 28-01, "Preparation and Review of Regulations."
i. TD 25-06, "The Treasury Data Integrity Board."
8. CANCELLATION. TD 12-52, "Approval of Privacy Act Documents," dated October 8, 1996, is cancelled. TD 25-04, "The Privacy Act of 1974, as amended," dated October 8, 1996, is superseded.
9. OFFICE OF PRIMARY INTEREST. Disclosure Services, Information Services Division, Chief Management and Administrative Programs Officer, Office of the Assistant Secretary for Management and Chief Financial Officer.
/S/
Lisa Ross
Acting Assistant Secretary for Management
and Chief Financial Officer