Appendix I to OMB Circular No. A-130

Federal Agency Responsibilities for Maintaining Records About Individuals

1. Purpose and Scope
2. Definitions
3. Assignment of Responsibilities
4. Reporting Requirements
5. Publication Requirements


1. Purpose and Scope.

This Appendix describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. Note that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting Matching Programs (54 FR at 25819, June 19, 1989).


2. Definitions.

a. The terms "agency," "individual," "maintain," "record," "system of records," and "routine use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a(a)).

b. Matching Agency. Generally, the Recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is the matching agency and is responsible for meeting the reporting and publication requirements associated with the matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source agency do so for its own matching program(s).

c. Nonfederal Agency. Nonfederal agencies are State or local governmental agencies receiving records from a Federal agency's automated system of records to be used in a matching program.

d. Recipient Agency. Recipient agencies are Federal agencies or their contractors receiving automated records from the Privacy Act systems of records of other Federal agencies, or from State or local governments, to be used in a matching program as defined in the Act.

e. Source Agency. A source agency is a Federal agency that discloses automated records from a system of records to another Federal agency or to a State or local agency to be used in a matching program. It is also a State or local agency that discloses records to a Federal agency for use in a matching program.


3. Assignment of Responsibilities.

a. All Federal Agencies. In addition to meeting the agency requirements contained in the Act and the specific reporting and publication requirements detailed in this Appendix, the head of each agency shall ensure that the following reviews are conducted as often as specified below, and be prepared to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. The head of each agency shall:

  1. Section (m) Contracts. Review every two years a random sample of agency contracts that provide for the maintenance of a system of records on behalf of the agency to accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act binding on the contractor and his or her employees. (See 5 U.S.C. 552a(m)(1))

  2. Recordkeeping Practices. Review annually agency recordkeeping and disposal policies and practices in order to assure compliance with the Act, paying particular attention to the maintenance of automated records.

  3. Routine Use Disclosures. Review every four years the routine use disclosures associated with each system of records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for which the disclosing agency collected the information.

  4. Exemption of Systems of Records. Review every four years each system of records for which the agency has promulgated exemption rules pursuant to Section (j) or (k) of the Act in order to determine whether such exemption is still needed.

  5. Matching Programs. Review annually each ongoing matching program in which the agency has participated during the year, either as a source or as a matching agency, in order to ensure that the requirements of the Act, the OMB guidance, and any agency regulations, operating instructions, or guidelines have been met.

  6. Privacy Act Training. Review annually agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, with the agency's implementing regulation, and with any special requirements of their specific jobs.

  7. Violations. Review annually the actions of agency personnel that have resulted either in the agency being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, in order to determine the extent of the problem and to find the most effective way to prevent recurrence of the problem.

  8. Systems of Records Notices. Review annually each system of records notice to ensure that it accurately describes the system of records. Where minor changes are needed, e.g., the name of the system manager, ensure that an amended notice is published in the Federal Register. Agencies may choose to make one annual comprehensive publication consolidating such minor changes. This requirement is distinguished from and in addition to the requirement to report to OMB and Congress significant changes to systems of records and to publish those changes in the Federal Register (See paragraph 4c of this Appendix).

b. Department of Commerce. The Secretary of Commerce shall, consistent with guidelines issued by the Director, OMB, develop and issue standards and guidelines for ensuring the security of information protected by the Act in automated information systems.

c. The Department of Defense, General Services Administration, and National Aeronautics and Space Administration. These agencies shall, consistent with guidelines issued by the Director, OMB, ensure that instructions are issued on what agencies must do in order to comply with the requirements of Section (m) of the Act when contracting for the operation of a system of records to accomplish an agency purpose.

d. Office of Personnel Management. The Director of the Office of Personnel Management shall, consistent with guidelines issued by the Director, OMB:

  1. Develop and maintain government-wide standards and procedures for civilian personnel information processing and recordkeeping directives to assure conformance with the Act.

  2. Develop and conduct Privacy Act training programs for agency personnel, including both the conduct of courses in various substantive areas (e.g., administrative, information technology) and the development of materials that agencies can use in their own courses. The assignment of this responsibility to OPM does not affect the responsibility of individual agency heads for developing and conducting training programs tailored to the specific needs of their own personnel.

e. National Archives and Records Administration. The Archivist of the United States through the Office of the Federal Register, shall, consistent with guidelines issued by the Director, OMB:

  1. Issue instructions on the format of the agency notices and rules required to be published under the Act.

  2. Compile and publish every two years, the rules promulgated under 5 U.S.C. 552a(f) and agency notices published under 5 U.S.C. 552a(e)(4) in a form available to the public at low cost.

  3. Issue procedures governing the transfer of records to Federal Records Centers for storage, processing, and servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are considered to be maintained by the agency that deposited them. The Archivist may disclose deposited records only according to the access rules established by the agency that deposited them.

f. Office of Management and Budget. The Director of the Office of Management and Budget will:

  1. Issue guidelines and directives to the agencies to implement the Act.

  2. Assist the agencies, at their request, in implementing their Privacy Act programs.

  3. Review new and altered system of records and matching program reports submitted pursuant to Section (o) of the Act.

  4. Compile the biennial report of the President to Congress in accordance with Section (s) of the Act.

  5. Compile and issue a biennial report on the agencies' implementation of the computer matching provisions of the Privacy Act, pursuant to Section (u)(6) of the Act.


4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds of reports:

* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional 10 days will ensure that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure that reports are mailed expeditiously after being signed.

** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"

House of Representatives:
The Chair of the House Committee on Government Operations, 2157
RHOB, Washington, D.C. 20515-6143.

Senate:
The Chair of the Senate Committee on Governmental Affairs, 340
SDOB, Washington, D.C. 20510-6250.

Office of Management and Budget:
The Administrator of the Office of Information and Regulatory
Affairs, Office of Management and Budget, ATTN: Docket Library,
NEOB Room 3201, Washington, D.C. 20503.

a. Biennial Privacy Act Report. To provide the necessary information for the biennial report of the President, agencies shall submit a biennial report to OMB, covering their Privacy Act activities for the calendar years covered by the reporting period. The exact format of the report will be established by OMB. At a minimum, however, agencies should collect and be prepared to report the following data on a calendar year basis:

  1. A listing of publication activity during the year showing the following:

    * Total Number of Systems of Records (Exempt/NonExempt)
    * Number of New Systems of Records Added (Exempt/NonExempt)
    * Number Routine Uses Added
    * Number Exemptions Added to Existing Systems
    * Number Exemptions Deleted from Existing Systems
    * Total Number of Automated Systems of Records (Exempt/NonExempt)

    The agency should provide a brief narrative describing those activities in detail, e.g., "the Department added a (k)(1) exemption to an existing system of records entitled "Investigative Records of the Office of Investigations;" or "the agency added a new routine use to a system of records entitled "Employee Health Records" that would permit disclosure of health data to researchers under contract to the agency to perform workplace risk analysis."

  2. A brief description of any public comments received on agency publication and implementation activities, and agency response.

  3. Number of access and amendment requests from record subjects citing the Privacy Act that were received during the calendar year of the report. Also the disposition of requests from any year that were completed during the calendar year of the report:

    * Total Number of Access Requests
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied
    Number For Which No Record Found

    * Total Amendment Requests
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied

    * Number of Appeals of Denials of Access
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied
    Number For Which No Record Found

    * Number of Appeals of Denials of Amendment
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied

  4. Number of instances in which individuals brought suit under section (g) of the Privacy Act against the agency and the results of any such litigation that resulted in a change to agency practices or affected guidance issued by OMB.

  5. Results of any reviews undertaken in response to paragraph 3a of this Appendix.

  6. Description of agency Privacy Act training activities conducted in accordance with paragraph 3a(6) of this Appendix.

b. Biennial Matching Activity Report (See 5 U.S.C. 552a(u)(3)(D)). At the end of each calendar year, the Data Integrity Board of each agency that has participated in matches covered by the computer matching provisions of the Privacy Act will collect data summarizing that year's matching activity. The Act requires that such activity be reported every two years. OMB will establish the exact format of the report, but agencies' Data Integrity Boards should be prepared to report the data identified below both to the agency head and to OMB.

  1. A listing of the names and positions of the members of the Data Integrity Board and showing separately the name of the Board Secretary, his or her agency mailing address, and telephone number. Also show and explain any changes in membership or structure occurring during the reporting year.

  2. A listing of each matching program, by title and purpose, in which the agency participated during the reporting year. This listing should show names of participant agencies, give a brief description of the program, and give a citation including the date to the Federal Register notice describing the program.

  3. For each matching program, an indication of whether the cost/benefit analysis performed resulted in a favorable ratio. The Data Integrity Board should explain why the agency proceeded with any matching program for which an unfavorable ratio was reached.

  4. For each program for which the Board waived a cost/benefit analysis, reasons for the waiver and the results of match, if tabulated.

  5. A description of each matching agreement the Board rejected and an explanation of why it was rejected.

  6. A listing of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken.

  7. A discussion of any litigation involving the agency's participation in any matching program.

  8. For any litigation based on allegations of inaccurate records, an explanation of the steps the agency used to ensure the integrity of its data as well as the verification process it used in the matching program, including an assessment of the adequacy of each.

c. New and Altered System of Records Report. The Act requires agencies to publish notices in the Federal Register describing new or altered systems of records, and to submit reports to OMB, and to the Chair of the Committee on Government Operations of the House of Representatives, and the Chair of the Committee on Governmental Affairs of the Senate. The reports must be transmitted at least 40 days prior to the operation of the new system of records or the date on which the alteration to an existing system takes place.

  1. When to Report Altered Systems of Records. Minor changes to systems of records need not be reported. For example, a change in the designation of the system manager due to a reorganization would not require a report, so long as an individual's ability to gain access to his or her records is not affected. Other examples include changing applicable safeguards as a result of a risk analysis or deleting a routine use when there is no longer a need for the disclosure. The following changes are those for which a report is required:

      (a) A significant increase in the number of individuals about whom records are maintained. For example, a decision to expand a system that originally covered only residents of public housing in major cities to cover such residents nationwide would require a report. Increases attributable to normal growth should not be reported.

      (b) A change that expands the types or categories of information maintained. For example, a file covering physicians that has been expanded to include other types of health care providers, e.g., nurses, technicians, etc., would require a report.

      (c) A change that alters the purpose for which the information is used.

      (d) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report.

      (e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for a Privacy Act exemption as part of a report of a new or altered system of records, OMB will also review the rule under applicable regulatory review procedures and agencies need not make a separate submission for that purpose.

      (f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).

  2. Reporting Changes to Multiple Systems of Records. When an agency makes a change to an information technology installation or a telecommunication network, or makes any other general changes in information collection, processing, dissemination, or storage that affect multiple systems of records, it may submit a single, consolidated report, with changes to existing notices and supporting documentation included in the submission.

  3. Contents of the New or Altered System Report. The report for a new or altered system has three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the proposed Federal Register notice. There is no prescribed format for either the letter or the narrative statement. The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook.

      (a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the system of records. The letter should contain the agency's assurance that the proposed system does not duplicate any existing agency or government-wide systems of records. The letter sent to OMB may also include requests for waiver of the time period for the review. The agency should indicate why it cannot meet the established review period and what will be the consequences of not obtaining the waiver, (see paragraph 4e below).

      (b) Narrative Statement. The narrative statement should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should:

      1. Describe the purpose for which the agency is establishing the system of records.

      2. Identify the authority under which the system of records is maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such records as necessary.

      3. Provide the agency's evaluation of the probable or potential effect of the proposal on the privacy of individuals.

      4. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be made available to OMB upon request.

      5. Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains only to any newly proposed routine use.

      6. Provide OMB Control Numbers, expiration dates, and titles of any OMB approved information collection requests (e.g., forms, surveys, etc.) contained in the system of records. If the request for OMB clearance of an information collection is pending, the agency may simply state the title of the collection and the date it was submitted for OMB clearance.

      (c) Supporting Documentation. Attach the following to all new or altered system of records reports:

      1. A copy of the new or altered system of records notice in Federal Register format, consistent with the provisions of 5 U.S.C. 552a(e)(4). For proposed altered systems the agency should supply a copy of the original system of records notice to ensure that reviewers can understand the changes proposed.

      2. A copy in Federal Register format of any new exemption rules or changes to published rules (consistent with the provisions of 5 U.S.C. 552a(f),(j), or (k)) that the agency proposes to issue for the new or altered system.

  4. OMB Concurrence. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted expeditiously after they are signed. Agencies may publish system of records and routine use notices as well as proposed exemption rules in the Federal Register at the same time that they send the new or altered system report to OMB and Congress. The period for OMB and congressional review and the notice and comment period for routine uses and exemptions will then run concurrently. Note that exemptions must be published as final rules before they are effective.

d. New or Altered Matching Program Report. The Act requires agencies to publish notices in the Federal Register describing new or altered matching programs, and to submit reports to OMB, and to Congress. The report must be received at least 40 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of continuing programs, the report must be dated at least 40 days prior to the expiration of any existing matching agreement.

  1. When to Report Altered Matching Programs. Agencies need not report minor changes to matching programs. The term "minor change to a matching program" means a change that does not significantly alter the terms of the agreement under which the program is being carried out. Examples of significant changes include:

      (a) Changing the purpose for which the program was established.

      (b) Changing the matching population, either by including new categories of record subjects or by greatly increasing the numbers of records matched.

      (c) Changing the legal authority covering the matching program.

      (d) Changing the source or recipient agencies involved in the matching program.

  2. Contents of New or Altered Matching Program Report. The report for a new or altered matching program has three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the proposed Federal Register notice. There is no prescribed format for either the letter or the narrative statement. The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook.

      (a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Privacy Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the matching program. The letter should state that a copy of the matching agreement has been distributed to Congress as the Act requires. The letter to OMB may also include a request for waiver of the review time period.

      (b) Narrative Statement. The narrative statement should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should provide:

      1. A description of the purpose of the matching program and the authority under which it is being carried out.

      2. A description of the security safeguards used to protect against any unauthorized access or disclosure of records used in the match.

      3. If the cost/benefit analysis required by Section (u)(4)(A) indicated an unfavorable ratio or was waived pursuant to OMB guidance, an explanation of the basis on which the agency justifies conducting the match.

      (c) Supporting Documentation. Attach the following:

      1. A copy of the Federal Register notice describing the matching program.

      2. For the Congressional report only, a copy of the matching agreement.

  3. OMB Concurrence. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted expeditiously after they are signed. Agencies may publish matching program notices in the Federal Register at the same time that they send the matching program report to OMB and Congress. The period for OMB and congressional review and the notice and comment period will then run concurrently.

e. Expediting the Review Process. The Director, OMB, may grant a waiver of the 40-day review period for either systems of records or matching program reviews. The agency must ask for the waiver in the transmittal letter and demonstrate compelling reasons. When a waiver is granted, the agency is not thereby relieved of any other requirement of the Act. If no waiver is granted, agencies may presume concurrence at the expiration of the 40 day review period. Note that OMB cannot waive time periods specifically established by the Act such as the 30 days notice and comment period required for the adoption of a routine use proposal pursuant to Section (b)(3) of the Act.


5. Publication Requirements. The Privacy Act requires agencies to publish notices or rules in the Federal Register in the following circumstances: when adopting a new or altered system of records, when adopting a routine use or exemption for a system of records, or when proposing to carry out a new or altered matching program. (See paragraph 4c(1) and 4d(1) above on what constitutes a reportable alteration.)

a. Publishing New or Altered Systems of Records Notices and Exemption Rules.

  1. Who Publishes. The agency responsible for operating the system of records makes the necessary publication. Publication should be carried out at the departmental or agency level. Where a system of records is to be operated exclusively by a component, the department rather than the component should publish the notice. Thus, for example, the Department of the Treasury would publish a system of records notice covering a system operated exclusively by the Internal Revenue Service. Note that if the agency is proposing to exempt the system under Section (j) or (k) of the Act, it must publish a rule in addition to the system of records notice.

      (a) Government-wide Systems of Records. Certain agencies publish systems of records containing records for which they have government-wide responsibilities. The records may be located in other agencies, but they are being used under the authority of and in conformance with the rules mandated by the publishing agency. The Office of Personnel Management, for example, has published a number of government-wide systems of records relating to the operation of the government's personnel program. Agencies should not publish systems of records that wholly or partly duplicate existing government-wide systems of records.

      (b) Section (m) Contract Provisions. When an agency provides by contract for the operation of a system of records, it should ensure that a system of records notice describing the system has been published. It should also review the notice to ensure that it contains a routine use under Section (e)(4)(D) of the Act permitting disclosure to the contractor and his or her personnel.

  2. When to Publish.

      (a) System Notice. It must appear in the Federal Register before the agency begins to operate the system, e.g., collect and use the information.

      (b) Routine Use. Must be published in the Federal Register 30 days before agency discloses records pursuant to its terms. If the sole change to an existing system of records is to add a routine use, the agency should either republish the entire system of records notice, a condensed description of the system of records, or a citation to the last full text Federal Register publication. (Note that the addition of a routine use to an existing system of records requires a report to OMB and Congress, and that the review period for this report is 40 days.)

      (c) Exemption Rule. Must be established through informal rulemaking pursuant to the Administrative Procedure Act. This process generally requires publication of a proposed rule, a period during which the public may comment, publication of a final rule, and the adoption of the final rule. Agencies may not withhold records under an exemption until these requirements have been met.

  3. Format. Agencies should follow the publication format contained in the Office of the Federal Register's Document Drafting Handbook obtainable from the Government Printing Office.

b. Publishing Matching Notices.

  1. Who Publishes. Generally, the Recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is responsible for publishing in the Federal Register a notice describing the new or altered matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches, and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source so for its own matching program(s).

  2. Timing. Publication must occur at least 30 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of programs agencies wish to continue past the 30 month period of initial eligibility (i.e., the initial 18 months plus a 1 year extension), publication must occur at least 30 days prior to the expiration of the existing matching agreement. (But note that a report to OMB and the Congress is also required with a 40 day review period).

  3. Format. The matching notice shall be in the format prescribed by the Office of the Federal Register's Document Drafting Handbook and contain the following information:

      (a) The name of the Recipient Agency.

      (b) The Name(s) of the Source Agencies.

      (c) The beginning and ending dates of the match.

      (d) A brief description of the matching program, including its purpose; the legal authorities authorizing its operation; categories of individuals involved; and identification of records used, including name(s) of Privacy Act Systems of records.

      (e) The identification, address, and telephone number of a Recipient Agency official who will answer public inquiries about the program.