1. Purpose and Scope.
This Appendix describes agency responsibilities for implementing
the reporting and publication requirements of the Privacy Act of
1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It
applies to all agencies subject to the Act. Note that this
Appendix does not rescind other guidance OMB has issued to help
agencies interpret the Privacy Act's provisions, e.g., Privacy
Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final
Guidance for Conducting Matching Programs (54 FR at 25819, June
19, 1989).
2. Definitions.
a. The terms "agency," "individual," "maintain," "record,"
"system of records," and "routine use," as used in this Appendix,
are defined in the Act (5 U.S.C. 552a(a)).
b. Matching Agency. Generally, the Recipient Federal agency (or
the Federal source agency in a match conducted by a nonfederal
agency) is the matching agency and is responsible for meeting the
reporting and publication requirements associated with the
matching program. However, in large, multi-agency matching
programs, where the recipient agency is merely performing the
matches and the benefit accrues to the source agencies, the
partners should assign responsibility for compliance with the
administrative requirements in a fair and reasonable way. This
may mean having the matching agency carry out these requirements
for all parties, having one participant designated to do so, or
having each source agency do so for its own matching program(s).
c. Nonfederal Agency. Nonfederal agencies are State or local
governmental agencies receiving records from a Federal agency's
automated system of records to be used in a matching program.
d. Recipient Agency. Recipient agencies are Federal agencies or
their contractors receiving automated records from the Privacy
Act systems of records of other Federal agencies, or from State
or local governments, to be used in a matching program as defined
in the Act.
e. Source Agency. A source agency is a Federal agency that
discloses automated records from a system of records to another
Federal agency or to a State or local agency to be used in a
matching program. It is also a State or local agency that
discloses records to a Federal agency for use in a matching
program.
3. Assignment of Responsibilities.
a. All Federal Agencies. In addition to meeting the agency
requirements contained in the Act and the specific reporting and
publication requirements detailed in this Appendix, the head of
each agency shall ensure that the following reviews are conducted
as often as specified below, and be prepared to report to the
Director, OMB, the results of such reviews and the corrective
action taken to resolve problems uncovered. The head of each
agency shall:
- Section (m) Contracts. Review every two years a random
sample of agency contracts that provide for the maintenance of a
system of records on behalf of the agency to accomplish an agency
function, in order to ensure that the wording of each contract
makes the provisions of the Act binding on the contractor and his
or her employees. (See 5 U.S.C. 552a(m)(1))
- Recordkeeping Practices. Review annually agency
recordkeeping and disposal policies and practices in order to
assure compliance with the Act, paying particular attention to
the maintenance of automated records.
- Routine Use Disclosures. Review every four years the
routine use disclosures associated with each system of records in
order to ensure that the recipient's use of such records
continues to be compatible with the purpose for which the
disclosing agency collected the information.
- Exemption of Systems of Records. Review every four years
each system of records for which the agency has promulgated
exemption rules pursuant to Section (j) or (k) of the Act in
order to determine whether such exemption is still needed.
- Matching Programs. Review annually each ongoing matching
program in which the agency has participated during the year,
either as a source or as a matching agency, in order to ensure
that the requirements of the Act, the OMB guidance, and any
agency regulations, operating instructions, or guidelines have
been met.
- Privacy Act Training. Review annually agency training
practices in order to ensure that all agency personnel are
familiar with the requirements of the Act, with the agency's
implementing regulation, and with any special requirements of
their specific jobs.
- Violations. Review annually the actions of agency personnel
that have resulted either in the agency being found civilly
liable under Section (g) of the Act, or an employee being found
criminally liable under the provisions of Section (i) of the Act,
in order to determine the extent of the problem and to find the
most effective way to prevent recurrence of the problem.
- Systems of Records Notices. Review annually each system of
records notice to ensure that it accurately describes the system
of records. Where minor changes are needed, e.g., the name of
the system manager, ensure that an amended notice is published in
the Federal Register. Agencies may choose to make one annual
comprehensive publication consolidating such minor changes. This
requirement is distinguished from and in addition to the
requirement to report to OMB and Congress significant changes to
systems of records and to publish those changes in the Federal
Register (See paragraph 4c of this Appendix).
b. Department of Commerce. The Secretary of Commerce shall,
consistent with guidelines issued by the Director, OMB, develop
and issue standards and guidelines for ensuring the security of
information protected by the Act in automated information
systems.
c. The Department of Defense, General Services Administration,
and National Aeronautics and Space Administration. These
agencies shall, consistent with guidelines issued by the
Director, OMB, ensure that instructions are issued on what
agencies must do in order to comply with the requirements of
Section (m) of the Act when contracting for the operation of a
system of records to accomplish an agency purpose.
d. Office of Personnel Management. The Director of the Office
of Personnel Management shall, consistent with guidelines issued
by the Director, OMB:
- Develop and maintain government-wide standards and
procedures for civilian personnel information processing and
recordkeeping directives to assure conformance with the Act.
- Develop and conduct Privacy Act training programs for agency
personnel, including both the conduct of courses in various
substantive areas (e.g., administrative, information technology)
and the development of materials that agencies can use in their
own courses. The assignment of this responsibility to OPM does
not affect the responsibility of individual agency heads for
developing and conducting training programs tailored to the
specific needs of their own personnel.
e. National Archives and Records Administration. The Archivist
of the United States through the Office of the Federal Register,
shall, consistent with guidelines issued by the Director, OMB:
- Issue instructions on the format of the agency notices and
rules required to be published under the Act.
- Compile and publish every two years, the rules promulgated
under 5 U.S.C. 552a(f) and agency notices published under 5
U.S.C. 552a(e)(4) in a form available to the public at low cost.
- Issue procedures governing the transfer of records to
Federal Records Centers for storage, processing, and servicing
pursuant to 44 U.S.C. 3103. For purposes of the Act, such
records are considered to be maintained by the agency that
deposited them. The Archivist may disclose deposited records
only according to the access rules established by the agency that
deposited them.
f. Office of Management and Budget. The Director of the
Office of Management and Budget will:
- Issue guidelines and directives to the agencies to
implement the Act.
- Assist the agencies, at their request, in implementing
their Privacy Act programs.
- Review new and altered system of records and matching
program reports submitted pursuant to Section (o) of the Act.
- Compile the biennial report of the President to Congress
in accordance with Section (s) of the Act.
- Compile and issue a biennial report on the agencies'
implementation of the computer matching provisions of the Privacy
Act, pursuant to Section (u)(6) of the Act.
4. Reporting Requirements. The Privacy Act requires agencies to
make the following kinds of reports:
- Report
- When Due
- Recipient**
- Biennial Privacy Act Report
- June 30, 1994, 1996, 1998, 2000
- Administrator, OIRA
- Biennial Matching Activity Report
- June 30, 1994, 1996, 1998, 2000
- Administrator, OIRA
- New System of Records Report
- When establishing a system of records - at least 40 days before
operating system*
- Administrator, OIRA, Congress
- Altered System of Records Report
- When adding a new routine use, exemption, or otherwise significantly
altering an existing system of records - at least 40 days before change
to system takes place*
- Administrator, OIRA, Congress
- New Matching Program Report
- When establishing new matching program - at least 40 days before
operating program*
- Administrator, OIRA, Congress
- Renewal of Existing Matching Program
- At least 40 days prior to expiration of one year extension of original
program - treat as new program
- Administrator, OIRA, Congress
- Altered Matching Program
- When making a significant change to an existing matching program -at
least 40 days before operating altered program*
- Administrator, OIRA, Congress
- Matching Agreements
- At least 40 days prior to start of matching program*
- Congress
* Review Period: Note that the statutory reporting requirement
is 30 days prior; the additional 10 days will ensure that OMB and
Congress have sufficient time to review the proposal. Agencies
should therefore ensure that reports are mailed expeditiously
after being signed.
** Recipient Addresses: At bottom of envelope print "PRIVACY ACT
REPORT"
House of Representatives:
The Chair of the House Committee on Government Operations, 2157
RHOB, Washington, D.C. 20515-6143.
Senate:
The Chair of the Senate Committee on Governmental Affairs, 340
SDOB, Washington, D.C. 20510-6250.
Office of Management and Budget:
The Administrator of the Office of Information and Regulatory
Affairs, Office of Management and Budget, ATTN: Docket Library,
NEOB Room 3201, Washington, D.C. 20503.
a. Biennial Privacy Act Report. To provide the necessary
information for the biennial report of the President, agencies
shall submit a biennial report to OMB, covering their Privacy Act
activities for the calendar years covered by the reporting
period. The exact format of the report will be established by
OMB. At a minimum, however, agencies should collect and be
prepared to report the following data on a calendar year basis:
- A listing of publication activity during the year
showing the following:
* Total Number of Systems of Records (Exempt/NonExempt)
* Number of New Systems of Records Added (Exempt/NonExempt)
* Number Routine Uses Added
* Number Exemptions Added to Existing Systems
* Number Exemptions Deleted from Existing Systems
* Total Number of Automated Systems of Records (Exempt/NonExempt)
The agency should provide a brief narrative describing those
activities in detail, e.g., "the Department added a (k)(1)
exemption to an existing system of records entitled
"Investigative Records of the Office of Investigations;" or "the
agency added a new routine use to a system of records entitled
"Employee Health Records" that would permit disclosure of health
data to researchers under contract to the agency to perform
workplace risk analysis."
- A brief description of any public comments received on
agency publication and implementation activities, and agency
response.
- Number of access and amendment requests from record
subjects citing the Privacy Act that were received during the
calendar year of the report. Also the disposition of requests
from any year that were completed during the calendar year of the
report:
* Total Number of Access Requests
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
Number For Which No Record Found
* Total Amendment Requests
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
* Number of Appeals of Denials of Access
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
Number For Which No Record Found
* Number of Appeals of Denials of Amendment
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
- Number of instances in which individuals brought suit
under section (g) of the Privacy Act against the agency and the
results of any such litigation that resulted in a change to
agency practices or affected guidance issued by OMB.
- Results of any reviews undertaken in response to
paragraph 3a of this Appendix.
- Description of agency Privacy Act training activities
conducted in accordance with paragraph 3a(6) of this Appendix.
b. Biennial Matching Activity Report (See 5 U.S.C.
552a(u)(3)(D)). At the end of each calendar year, the Data
Integrity Board of each agency that has participated in matches
covered by the computer matching provisions of the Privacy Act
will collect data summarizing that year's matching activity. The
Act requires that such activity be reported every two years. OMB
will establish the exact format of the report, but agencies' Data
Integrity Boards should be prepared to report the data identified
below both to the agency head and to OMB.
- A listing of the names and positions of the members of
the Data Integrity Board and showing separately the name of the
Board Secretary, his or her agency mailing address, and telephone
number. Also show and explain any changes in membership or
structure occurring during the reporting year.
- A listing of each matching program, by title and
purpose, in which the agency participated during the reporting
year. This listing should show names of participant agencies,
give a brief description of the program, and give a citation
including the date to the Federal Register notice describing the
program.
- For each matching program, an indication of whether the
cost/benefit analysis performed resulted in a favorable ratio.
The Data Integrity Board should explain why the agency proceeded
with any matching program for which an unfavorable ratio was
reached.
- For each program for which the Board waived a
cost/benefit analysis, reasons for the waiver and the results of
match, if tabulated.
- A description of each matching agreement the Board
rejected and an explanation of why it was rejected.
- A listing of any violations of matching agreements that
have been alleged or identified, and a discussion of any action
taken.
- A discussion of any litigation involving the agency's
participation in any matching program.
- For any litigation based on allegations of inaccurate
records, an explanation of the steps the agency used to ensure
the integrity of its data as well as the verification process it
used in the matching program, including an assessment of the
adequacy of each.
c. New and Altered System of Records Report. The Act
requires agencies to publish notices in the Federal Register
describing new or altered systems of records, and to submit
reports to OMB, and to the Chair of the Committee on Government
Operations of the House of Representatives, and the Chair of the
Committee on Governmental Affairs of the Senate. The reports must
be transmitted at least 40 days prior to the operation of the new
system of records or the date on which the alteration to an
existing system takes place.
- When to Report Altered Systems of Records. Minor
changes to systems of records need not be reported. For example,
a change in the designation of the system manager due to a
reorganization would not require a report, so long as an
individual's ability to gain access to his or her records is not
affected. Other examples include changing applicable safeguards
as a result of a risk analysis or deleting a routine use when
there is no longer a need for the disclosure. The following
changes are those for which a report is required:
(a) A significant increase in the number of
individuals about whom records are maintained. For example, a
decision to expand a system that originally covered only
residents of public housing in major cities to cover such
residents nationwide would require a report. Increases
attributable to normal growth should not be reported.
(b) A change that expands the types or categories
of information maintained. For example, a file covering
physicians that has been expanded to include other types of
health care providers, e.g., nurses, technicians, etc., would
require a report.
(c) A change that alters the purpose for which
the information is used.
(d) A change to equipment configuration (either
hardware or software) that creates substantially greater access
to the records in the system of records. For example, locating
interactive terminals at regional offices for accessing a system
formerly accessible only at the headquarters would require a
report.
(e) The addition of an exemption pursuant to
Section (j) or (k) of the Act. Note that, in examining a
rulemaking for a Privacy Act exemption as part of a report of a
new or altered system of records, OMB will also review the rule
under applicable regulatory review procedures and agencies need
not make a separate submission for that purpose.
(f) The addition of a routine use pursuant to 5
U.S.C. 552a(b)(3).
- Reporting Changes to Multiple Systems of Records. When
an agency makes a change to an information technology
installation or a telecommunication network, or makes any other
general changes in information collection, processing,
dissemination, or storage that affect multiple systems of
records, it may submit a single, consolidated report, with
changes to existing notices and supporting documentation included
in the submission.
- Contents of the New or Altered System Report. The
report for a new or altered system has three elements: a
transmittal letter, a narrative statement, and supporting
documentation that includes a copy of the proposed Federal
Register notice. There is no prescribed format for either the
letter or the narrative statement. The notice must appear in the
format prescribed by the Office of the Federal Register's
Document Drafting Handbook.
(a) Transmittal Letter. The transmittal letter
should be signed by the senior agency official responsible for
implementation of the Act within the agency and should contain
the name and telephone number of the individual who can best
answer questions about the system of records. The letter should
contain the agency's assurance that the proposed system does not
duplicate any existing agency or government-wide systems of
records. The letter sent to OMB may also include requests for
waiver of the time period for the review. The agency should
indicate why it cannot meet the established review period and
what will be the consequences of not obtaining the waiver, (see
paragraph 4e below).
(b) Narrative Statement. The narrative statement
should be brief. It should make reference, as appropriate, to
information in the supporting documentation rather than restating
such information. The statement should:
- Describe the purpose for which the agency
is establishing the system of records.
- Identify the authority under which the
system of records is maintained. The agency should avoid citing
housekeeping statutes, but rather cite the underlying
programmatic authority for collecting, maintaining, and using the
information. When the system is being operated to support an
agency housekeeping program, e.g., a carpool locator, the agency
may, however, cite a general housekeeping statute that authorizes
the agency head to keep such records as necessary.
- Provide the agency's evaluation of the
probable or potential effect of the proposal on the privacy of
individuals.
- Provide a brief description of the steps
taken by the agency to minimize the risk of unauthorized access
to the system of records. A more detailed assessment of the
risks and specific administrative, technical, procedural, and
physical safeguards established shall be made available to OMB
upon request.
- Explain how each proposed routine use
satisfies the compatibility requirement of subsection (a)(7) of
the Act. For altered systems, this requirement pertains only to
any newly proposed routine use.
- Provide OMB Control Numbers, expiration
dates, and titles of any OMB approved information collection
requests (e.g., forms, surveys, etc.) contained in the system of
records. If the request for OMB clearance of an information
collection is pending, the agency may simply state the title of
the collection and the date it was submitted for OMB clearance.
(c) Supporting Documentation. Attach the
following to all new or altered system of records reports:
- A copy of the new or altered system of
records notice in Federal Register format, consistent with the
provisions of 5 U.S.C. 552a(e)(4). For proposed altered systems
the agency should supply a copy of the original system of records
notice to ensure that reviewers can understand the changes
proposed.
- A copy in Federal Register format of any
new exemption rules or changes to published rules (consistent
with the provisions of 5 U.S.C. 552a(f),(j), or (k)) that the
agency proposes to issue for the new or altered system.
- OMB Concurrence. Agencies may assume that OMB concurs
in the Privacy Act aspects of their proposal if OMB has not
commented within 40 days from the date the transmittal letter was
signed. Agencies should ensure that letters are transmitted
expeditiously after they are signed. Agencies may publish system
of records and routine use notices as well as proposed exemption
rules in the Federal Register at the same time that they send the
new or altered system report to OMB and Congress. The period for
OMB and congressional review and the notice and comment period
for routine uses and exemptions will then run concurrently. Note
that exemptions must be published as final rules before they are
effective.
d. New or Altered Matching Program Report. The Act requires
agencies to publish notices in the Federal Register describing
new or altered matching programs, and to submit reports to OMB,
and to Congress. The report must be received at least 40 days
prior to the initiation of any matching activity carried out
under a new or substantially altered matching program. For
renewals of continuing programs, the report must be dated at
least 40 days prior to the expiration of any existing matching
agreement.
- When to Report Altered Matching Programs. Agencies
need not report minor changes to matching programs. The term
"minor change to a matching program" means a change that does not
significantly alter the terms of the agreement under which the
program is being carried out. Examples of significant changes
include:
(a) Changing the purpose for which the program
was established.
(b) Changing the matching population, either by
including new categories of record subjects or by greatly
increasing the numbers of records matched.
(c) Changing the legal authority covering the
matching program.
(d) Changing the source or recipient agencies
involved in the matching program.
- Contents of New or Altered Matching Program Report.
The report for a new or altered matching program has three
elements: a transmittal letter, a narrative statement, and
supporting documentation that includes a copy of the proposed
Federal Register notice. There is no prescribed format for
either the letter or the narrative statement. The notice must
appear in the format prescribed by the Office of the Federal
Register's Document Drafting Handbook.
(a) Transmittal Letter. The transmittal letter
should be signed by the senior agency official responsible for
implementation of the Privacy Act within the agency and should
contain the name and telephone number of the individual who can
best answer questions about the matching program. The letter
should state that a copy of the matching agreement has been
distributed to Congress as the Act requires. The letter to OMB
may also include a request for waiver of the review time period.
(b) Narrative Statement. The narrative statement
should be brief. It should make reference, as appropriate, to
information in the supporting documentation rather than restating
such information. The statement should provide:
- A description of the purpose of the
matching program and the authority under which it is being
carried out.
- A description of the security safeguards
used to protect against any unauthorized access or disclosure of
records used in the match.
- If the cost/benefit analysis required by
Section (u)(4)(A) indicated an unfavorable ratio or was waived
pursuant to OMB guidance, an explanation of the basis on which
the agency justifies conducting the match.
(c) Supporting Documentation. Attach the
following:
- A copy of the Federal Register notice
describing the matching program.
- For the Congressional report only, a copy
of the matching agreement.
- OMB Concurrence. Agencies may assume that OMB concurs
in the Privacy Act aspects of their proposal if OMB has not
commented within 40 days from the date the transmittal letter was
signed. Agencies should ensure that letters are transmitted
expeditiously after they are signed. Agencies may publish
matching program notices in the Federal Register at the same time
that they send the matching program report to OMB and Congress.
The period for OMB and congressional review and the notice and
comment period will then run concurrently.
e. Expediting the Review Process. The Director, OMB, may
grant a waiver of the 40-day review period for either systems of
records or matching program reviews. The agency must ask for the
waiver in the transmittal letter and demonstrate compelling
reasons. When a waiver is granted, the agency is not thereby
relieved of any other requirement of the Act. If no waiver is
granted, agencies may presume concurrence at the expiration of
the 40 day review period. Note that OMB cannot waive time
periods specifically established by the Act such as the 30 days
notice and comment period required for the adoption of a routine
use proposal pursuant to Section (b)(3) of the Act.