[Federal Register: April 9, 2007 (Volume 72, Number 67)] [Rules and Regulations] [Page 17367-17376] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr09ap07-4] ======================================================================= ----------------------------------------------------------------------- SMALL BUSINESS ADMINISTRATION 13 CFR Part 102 RIN 3245-AF20 Record Disclosure and Privacy AGENCY: U.S. Small Business Administration (SBA). ACTION: Direct Final Rule. ----------------------------------------------------------------------- SUMMARY: This rule updates the U.S. Small Business Administration's (SBA) regulations implementing the Privacy Act of 1974. This rule ensures the security and confidentiality of personally identifiable records and protects against hazards to their integrity. Specifically, Subpart B of the Privacy Act regulations is revised to include SBA's procedures for maintaining appropriate administrative, technical and physical safeguards to ensure the security of the records. Also included are Privacy Act standards of conduct for Agency employees; training and reporting requirements pursuant to Privacy Act guidelines and the Office of Management and Budget (OMB) guidance; and the Privacy Act responsibilities of the Chief, Freedom of Information/Privacy Acts (FOI/PA) Office. DATES: This rule is effective June 8, 2007 without further action, unless significant adverse comment is received by May 9, 2007. If significant adverse comment is received, the SBA will publish a timely withdrawal of the rule in the Federal Register. ADDRESSES: You may submit comments, identified by RIN 3245-AF20, by any of the following methods: (1) Federal rulemaking portal at http://www.regulations.gov ; (2) e-mail: lisa.babcock@sba.gov, include RIN number 3245-AF20 in the subject line of the message; (3) mail to: Delorice P. Ford, Agency Chief FOIA Officer, 409 3rd Street, SW., Mail Code: 2441, Washington, DC 20416; and (4) Hand Delivery/Courier: 409 3rd Street, SW., Washington, DC 20416. FOR FURTHER INFORMATION CONTACT: Delorice P. Ford, Agency Chief FOIA Officer, (202) 401-8203. SUPPLEMENTARY INFORMATION: SBA is revising Subpart B of Part 102 to include more in-depth information about Privacy Act (PA) responsibilities, and to further ensure the security and confidentiality of the Agency's personally identifiable records, including the standards for disclosure of information under computer matching programs. This rule will further assist the SBA in focusing on the four basic policy objectives of the Privacy Act. Those objectives are: the restriction of disclosure of personally identifiable information; individuals' increased right of access to records maintained on them; individuals' right to seek amendment of records maintained on them; and the establishment of fair information practices. SBA is substantially revising this rule to present it in a statement and narrative format rather than question and answer, which conforms to the current writing style of Subpart A. As a result, the headings and section numbers are different than current SBA rule 13 CFR part 102, Subpart B. SBA is publishing this rule as a direct final rule because it believes the rule is non-controversial since it merely enforces the basic policy objectives of the Privacy Act and does not present novel or unusual policies or practices. Because the rule follows routine, standard government-wide Privacy Act practices, SBA believes that this direct final rule will not elicit any significant adverse comments. However, if such comments are received, SBA will publish a timely notice of withdrawal in the Federal Register. Section-by Section Analysis General provisions, Sec. 102.20, provides an overview of the scope of regulations contained in Subpart B as well as definitions for terms that are not previously defined in Part 102. New Sec. 102.21 Agency officials responsible for the Privacy Act, describes the various Agency personnel responsible for the PA and a listing of their duties. Some of this information is currently included in SBA PA rules at 13 CFR 102.29 and 102.32. Section 102.22 Requirements relating to systems of records, this section expands current SBA PA rules at Sec. Sec. 102.24 and 102.25 and establishes parameters for the type of information that SBA may collect from an individual, including the prohibition on maintaining records concerning First Amendment rights in certain circumstances. Section 102.22 also addresses how to ensure the accurate and secure maintenance of records on individuals, and how to report new systems of records. Section 102.23--Publication in the Federal Register Notices of systems of records explains that SBA will publish notice of new or modified systems of records and routine uses in the Federal Register. This section is not currently included in SBA rules. Section 102.24--Requests for access to records describes procedures for individuals on how and where to make requests for access to records under the PA. This section is similar to current SBA rule at 13 CFR 102.34. Section 102.25--Responsibility for responding to requests for access to records provides a description of responsibilities for Agency respondents to requests for access to records, while Sec. 102.26-- Responses to requests for access to record describes what to include in those responses. Current SBA rule at 13 CFR 102.36 provides similar information. New Sec. 102.27--Appeals from denials of requests for access to records provides procedures for individuals on how and where to make appeals from denials of requests for access to records. Section 102.28--Requests for amendment or correction of records, provides a description of how and where to make requests and appeals for amendment or correction of records, including how to file Statements of Disagreement if appeals under this section are denied in whole or part. Section 102.29--Requests for an accounting of record disclosures describes procedures for individuals to make requests and appeals for an accounting of records disclosures. Section 102.30--Preservation of records this section describes how SBA will implement the record retention requirements of Title 44 of the United States Code or the National Archives and Records Administration's General Records Schedule 14. Section 102.31--Fees this section states that for PA matters, SBA charges only for duplication of records and all fees under $25 are waived. Section 102.32--Notice of court-ordered and emergency disclosures this section explains SBA's compliance with court-ordered and emergency disclosures. SBA will notify individuals by mailing a notice to their last known address. Section 102.33--Security of systems of records this section requires SBA offices that maintain PA records to establish controls to protect records on individuals and ensure that record access is limited to only those [[Page 17368]] individuals who must have access to the records to perform their duties. Section 102.34--Contracts for the operation of record systems this section establishes that SBA contractors are subject to the PA and this rule. The contractor and its employees are considered SBA employees during the contract and can be subject to the sanctions of the PA. Section 102.35--Use and collection of Social Security Numbers under this section, individuals may not be negatively affected if they refuse to provide their social security numbers, unless such numbers are required under a statute or regulation adopted prior to 1975, or the collection in general is authorized by statute. Individuals must be informed whether submitting the social security number is mandatory or voluntary; the authority for collecting it; and the purpose for which it will be used. Section 102.36--Privacy Act standards of conduct this section requires SBA to inform its employees how the Agency enforces PA provisions, including civil liability and criminal penalty provisions. The section sets forth standards for collecting, maintaining, accessing, or disclosing information in a system of records, in order to comply with those standards. Section 102.37--Training requirements according to this section all SBA employees with PA duties must periodically attend Agency PA training. Section 102. 38--Other rights and services this section limits the rights of persons to access any record they are not entitled to under the PA. Section 102.39--SBA's Exempt Privacy Act Systems of Records this section identifies the systems of records that are exempt from disclosure and the basis for their exemption. In general such systems contain Office of Inspector General (OIG) investigatory materials, Equal Employment Opportunity records, personnel records, and litigation records that contain personally identifiable criminal, investigative, and financial information. The exemption of these systems will help protect the investigative process, information sources, and classified information. Section 102.40--Computer matching agreements this section establishes that SBA may not disclose information on an individual for use in a computer matching program unless the Agency has entered into a written agreement governing the use of the information with the recipient of such information. Among other things, matching agreements must specify the purpose, legal authority, description and approximate number of records, estimate of savings, procedures for individualized notice, information verification, record retention and security, prohibitions on duplication and re-disclosure, assessments on record accuracy, and record access by the Comptroller General. Copies of all matching agreements must be provided to appropriate Congressional committees. This section also establishes a Data Integrity Board to oversee and coordinate the matching programs, approve and maintain all written agreements, and if OMB requests, compile a report on SBA's matching activities that will be available to the public. Finally, this section sets forth the process for filing an appeal with OMB of any matching agreement the Data Integrity Board disapproves. OMB may approve such a matching agreement, if it finds that the program will be consistent with all applicable legal, regulatory and policy requirements, is cost- effective and is in the public interest. If the Board and OMB disapprove a matching program proposed by OIG, the IG may report such disapproval to the Administrator and to Congress. Section 102.41--Other provisions this section explains that SBA personnel records are maintained in accordance with Office of Personnel Management regulations, describes the conditions for disclosing an individual's medical records, and notifies individuals that SBA will not profit from the sale of an individual's name or address. Compliance With Executive Orders 12866, 12988, and 13132, the Regulatory Flexibility Act (5 U.S.C. 601-612), and the Paperwork Reduction Act (44 U.S.C. Ch. 35) Executive Order 12866 The Office of Management and Budget has determined that this rule does not constitute a significant regulatory action within the meaning of Executive Order 12866. This rule merely makes SBA's Privacy Act program more compliant with current law and facilitates greater public understanding of why personal information is collected, how that information will be used and shared, how it may be accessed, and securely stored. Executive Order 12988 This rule meets the applicable standards set forth in Sec. Sec. 3(a) and (3)(b)(2) of Executive Order 12988, to minimize litigation, eliminate ambiguity, and reduce burden. This rule would not have retroactive or preemptive effect. Executive Order 13132 This rule would not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, for purposes of Executive Order 13132, SBA has determined that this rule does not have sufficient federalism implications to warrant the preparation of a Federalism Assessment. Paperwork Reduction Act For the purpose of the Paperwork Reduction Act, 44 U.S.C. Ch. 35, SBA has determined that this rule will not impose any new reporting or record keeping requirements. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA) requires administrative agencies to consider the effect of their actions on small entities, small non-profit enterprises, and small local governments. The RFA requires agencies to prepare an analysis which describes the impact of each rule on such entities. However, in lieu of preparing an analysis, section 605 of the RFA allows an agency to certify that the rulemaking is not expected to have a significant economic impact on a substantial number of small entities. This rule concerns the rights of individuals under the Privacy Act and outlines the responsibilities of the Agency to ensure that information it collects on those individuals is used and maintained in a manner that ensures its confidentiality. An individual is not a small entity as defined in the RFA. Furthermore, the Privacy Act does not concern small entities. Accordingly, SBA certifies that this rule will not have a significant economic impact on a substantial number of small entities. List of Subjects in 13 CFR Part 102 Freedom of information, Privacy. 0 For the reasons stated in the preamble, the Small Business Administration amends 13 CFR Chapter I, part 102, as follows: PART 102--RECORD DISCLOSURE AND PRIVACY 0 1. The authority citation for part 102 is revised to read as follows: Authority: 5 U.S.C. 301, 552, 552a; 31 U.S.C. 9701; 44 U.S.C. 3501, et seq., E.O. 12600, 52 FR 23781, 3 CFR, 187 Comp., p. 235. [[Page 17369]] 0 2. Revise subpart B of part 102 to read as follows: Subpart B--Protection of Privacy and Access to Individual Records Under the Privacy Act of 1974 Sec. 102.20 General provisions. 102.21 Agency officials responsible for the Privacy Act of 1974. 102.22 Requirements relating to systems of records. 102.23 Publication in the Federal Register--Notices of systems of records. 102.24 Requests for access to records. 102.25 Responsibility for responding to requests for access to records. 102.26 Responses to requests for access to records. 102.27 Appeals from denials of requests for access to records. 102.28 Requests for amendment or correction of records. 102.29 Requests for an accounting of record disclosures. 102.30 Preservation of records. 102.31 Fees. 102.32 Notice of court-ordered and emergency disclosures. 102.33 Security of systems of records. 102.34 Contracts for the operation of record systems. 102.35 Use and collection of Social Security Numbers. 102.36 Privacy Act standards of conduct. 102.37 Training requirements. 102.38 Other rights and services. 102.39 SBA's exempt Privacy Act systems of records. 102.40 Computer matching. 102.41 Other provisions. Subpart B--Protection of Privacy and Access to Individual Records Under the Privacy Act of 1974 Sec. 102.20 General provisions. (a) Purpose and scope. This subpart implements the provisions of the Privacy Act of 1974, 5 U.S.C. 552a. These regulations apply to all records which are contained in systems of records maintained by the U.S. Small Business Administration (SBA) and that are retrieved by an individual's name or personal identifier. These regulations set forth the procedures by which individuals may request access to records about themselves, request amendment or correction of those records, and request an accounting of disclosures of those records by the SBA. These regulations also set forth the requirements applicable to SBA employees maintaining, collecting, using or disseminating records pertaining to individuals. This subpart applies to SBA and all of its offices and is mandatory for use by all SBA employees. (b) Definitions. As used in this subpart: (1) Agency means the U.S. Small Business Administration (SBA) and includes all of its offices wherever located; (2) Employee means any employee of the SBA, regardless of grade, status, category or place of employment; (3) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence. This term shall not encompass entrepreneurial enterprises (e.g. sole proprietors, partnerships, corporations, or other forms of business entities); (4) Maintain includes maintain, collect, use, or disseminate; (5) Record means any item, collection, or grouping of information about an individual that is maintained by the SBA, including, but not limited to education, financial transactions, medical history, and criminal or employment history and that contains the individual's name, or an identifying number, symbol, or other identifying particular assigned to the individual such as a finger or voice print or photograph; (6) System of records means a group of any records under the control of SBA from which information is retrieved by the name of the individual or by an identifying number, symbol, or other identifying particular assigned to the individual; (7) Statistical record means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual; (8) Routine use means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected; (9) Request for access to a record means a request made under Privacy Act subsection (d)(1) allowing an individual to gain access to his or her record or to any information pertaining to him or her which is contained in a system of records; (10) Request for amendment or correction of a record means a request made under Privacy Act subsection (d)(2), permitting an individual to request amendment or correction of a record that he or she believes is not accurate, relevant, timely, or complete; (11) Request for an accounting means a request made under Privacy Act subsection (c)(3) allowing an individual to request an accounting of any disclosure to any SBA officers and employees who have a need for the record in the performance of their duties; (12) Requester is an individual who makes a request for access, a request for amendment or correction, or a request for an accounting under the Privacy Act; and (13) Authority to request records for a law enforcement purpose means that the head of an Agency or a United States Attorney, or either's designee, is authorized to make written requests under subsection (b)(7) of the Privacy Act for records maintained by other agencies that are necessary to carry out an authorized law enforcement activity. Sec. 102.21 Agency employees responsible for the Privacy Act of 1974. (a) Program/Support Office Head is the SBA employee in each field office and major program and support area responsible for implementing and overseeing this regulation in that office. (b) Privacy Act Systems Manager (PASM) is the designated SBA employee in each office responsible for the development and management of any Privacy Act systems of records in that office. (c) Senior Agency Official for Privacy is SBA's Chief Information Officer (CIO) who has overall responsibility and accountability for ensuring the SBA's implementation of information privacy protections, including the SBA's full compliance with Federal laws, regulations, and policies relating to information privacy such as the Privacy Act and the E-Government Act of 2002. (d) Chief, Freedom of Information/Privacy Acts (FOI/PA) Office oversees and implements the record access, amendment, and correction provisions of the Privacy Act. Sec. 102.22 Requirements relating to systems of records. (a) In general. Each SBA office shall, in accordance with the Privacy Act: (1) Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the Agency required to be accomplished by a statute or by Executive Order of the President; (2) Collect information to the greatest extent practicable directly from the subject individual when the information may affect an individual's rights, benefits, and privileges under Federal programs; (b) Requests for information from individuals. If a form is being used to collect information from individuals, either the form used to collect the information, or a separate form that can be retained by the individual, must state the following: (1) The authority (whether granted by statute, or by Executive Order of the [[Page 17370]] President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary; (2) The principal purpose or purposes for which the information is intended to be used; (3) The routine uses which may be made of the information; and (4) The effects on such individual, if any, of not providing all or any part of the requested information. (c) Report on new systems. Each SBA office shall provide adequate advance notice to Congress and OMB through the FOI/PA Office of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals. (d) Accurate and secure maintenance of records. Each SBA office shall: (1) Maintain all records which are used in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination; (2) Prior to disseminating any record from a system of records about an individual to any requestor, including an agency, make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for SBA purposes; and (3) Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. (i) PASMs, with the approval of the head of their offices, shall establish administrative and physical controls, consistent with SBA regulations, to insure the protection of records systems from unauthorized access or disclosure and from physical damage or destruction. The controls instituted shall be proportional to the degree of sensitivity of the records but at a minimum must ensure that records other than those available to the general public under the FOIA, are protected from public view, that the area in which the records are stored is supervised during all business hours and physically secured during non-business hours to prevent unauthorized personnel from obtaining access to the records. (ii) PASMs, with the approval of the head of their offices, shall adopt access restrictions to insure that only those individuals within the agency who have a need to have access to the records for the performance of their duties have access to them. Procedures shall also be adopted to prevent accidental access to, or dissemination of, records. (e) Prohibition against maintenance of records concerning First Amendment rights. No SBA office shall maintain a record describing how any individual exercises rights guaranteed by the First Amendment (e.g. speech), unless the maintenance of such record is: (1) Expressly authorized by statute, or (2) Expressly authorized by the individual about whom the record is maintained, or (3) Pertinent to and within the scope of an authorized law enforcement activity. Sec. 102.23 Publication in the Federal Register--Notices of systems of records. (a) Notices of systems of records to be published in the Federal Register. (1) The SBA shall publish in the Federal Register upon establishment or revision a notice of the existence and character of any new or revised systems of records. Unless otherwise instructed, each notice shall include: (i) The name and location of the system; (ii) The categories of individuals on who records are maintained in the system; (iii) The categories of records maintained in the system; (iv) Each routine use of the records contained in the system, including the categories of users and the purpose of such use; (v) The policies and practices of the office regarding storage, retrievability, access controls, retention, and disposal of the records; (vi) The title and business address of the SBA official who is responsible for the system of records; (vii) A statement that SBA procedures allow an individual, at his or her request, to determine whether a system of records contains a record pertaining to him or her, to review such records and to contest or amend such records, located in sections 102.25 through 102.29 of these regulations. (viii) A statement that such requests may be directed to the SBA's FOI/PA Office, 409 3rd St., SW., Washington, DC 20416 or faxed to 202- 205-7059; and (ix) The categories of sources of records in the system. (2) Minor changes to systems of records shall be published annually. (b) Notice of new or modified routine uses to be published in the Federal Register. At least 30 days prior to disclosing records pursuant to a new use or modification of a routine use, as published under paragraph (a)(1)(iv) of this section, each SBA office shall publish in the Federal Register notice of such new or modified use of the information in the system and provide an opportunity for any individual or persons to submit written comments. Sec. 102.24 Requests for access to records. (a) How made and addressed. An individual, or his or her legal guardian, may make a request for access to an SBA record about himself or herself by appearing in person or by writing directly to the SBA office that maintains the record or to the FOI/PA Office by mail to 409 3rd St., SW., Washington, DC 20416 or fax to 202-205-7059. A request received by the FOI/PA Office will be forwarded to the appropriate SBA Office where the records are located. (b) Description of records sought. A request for access to records must describe the records sought in sufficient detail to enable SBA personnel to locate the system of records containing them with a reasonable amount of effort. A request should also state the date of the record or time period in which the record was compiled, and the name or identifying number of each system of records in which the requester believes the record is kept. The SBA publishes notices in the Federal Register that describe its systems of records. A description of the SBA's systems of records also may be found at http://www.sba.gov/foia/systemrecords.doc . (c) Verification of identity. Any individual who submits a request for access to records must verify his or her identity. No specific form is required; however, the requester must state his or her full name, current address, and date and place of birth. The request must be signed and the requester's signature must either be notarized or submitted under 28 U.S.C. 1746. This law permits statements to be made under penalty of perjury as a substitute for notarization, the language states: (1) If executed outside the United States: ``I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). Signature''; or (2) If executed within the Untied States, its territories, possessions or commonwealths: ``I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). Signature''. [[Page 17371]] (d) Verification of guardianship. When making a request as a legal agent or the parent or guardian of a minor or as the guardian of someone determined by a court to be incompetent, for access to records about that individual, the requester must establish: (1) The identity of the individual who is the subject of the record, by stating the name, current address, date and place of birth, and, at the requester's option, the social security number of the individual; (2) The requester's own identity, as required in paragraph (c) of this section; (3) That the requester is the legal agent or parent or guardian of that individual, which may be proven by providing a copy of the individual's birth certificate showing his parentage or by providing a court order establishing guardianship; and (4) That the requester is acting on behalf of that individual in making the request. Sec. 102.25 Responsibility for responding to requests for access to records. (a) In general. Except as stated in paragraphs (c), (d), and (e) of this section and in Sec. 102.24(a), the office that first receives a request for access to a record, and has possession of that record, is the office responsible for responding to the request. That office shall acknowledge receipt of the request not later than 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of the request in writing. In determining which records are responsive to a request, an office ordinarily shall include only those records in its possession as of the date the office begins its search for them. If any other date is used, the office shall inform the requester of that date. (b) Authority to grant or deny requests. The Program/Support Office Head, or designee, is authorized to grant or deny any request for access to a record of that office. (c) Consultations and referrals. When an office receives a request for access to a record in its possession, it shall determine whether another office, or another agency of the Federal Government, is better able to determine whether the record is exempt from access under the Privacy Act. If the receiving office determines that it is best able to process the record in response to the request, then it shall do so. If the receiving office determines that it is not best able to process the record, then it shall either: (1) Respond to the request regarding that record, after consulting with the office or agency best able to determine whether the record is exempt from access and with any other office or agency that has a substantial interest in it; or (2) Refer the responsibility for responding to the request to the office best able to determine whether the record is exempt from access or to another agency that originated the record (but only if that agency is subject to the Privacy Act). Ordinarily the office or agency that originated a record will be presumed to be best able to determine whether it is exempt from access. (d) Law enforcement information. Whenever a request is made for access to a record containing information that relates to an investigation of a possible violation of law and that was originated by SBA's Office of the Inspector General (OIG) or another agency, the receiving office shall refer the responsibility for responding to the request regarding that information to either SBA's OIG or the other agency ``depending on where the investigation originated.'' (e) Classified information. Whenever a request is made for access to a record containing information that has been classified by or may be appropriate for classification by another office or agency under Executive Order 12958 or any other executive order concerning the classification of records, the receiving office shall refer the responsibility for responding to the request regarding that information to the office or agency that classified the information, should consider the information for classification, or has the primary interest in it, as appropriate. Whenever a record contains information that has been derivatively classified by an office because it contains information classified by another office or agency, the office shall refer the responsibility for responding to the request regarding that information to the office or agency that classified the underlying information. Information determined to no longer require classification shall not be withheld from a requester on the basis of Exemption (k)(1) of the Privacy Act. (f) Notice of referral. Whenever an office refers all or any part of the responsibility for responding to a request to another office or agency, it shall notify the requester of the referral and inform the requester of the name of each office or agency to which the request has been referred and of the part of the request that has been referred. (g) Responses to consultations and referrals. All consultations and referrals shall be processed according to the date the access request was initially received by the first office or agency, not any later date. (h) Agreements regarding consultations and referrals. Offices may make agreements with other offices or agencies to eliminate the need for consultations or referrals for particular types of records. Sec. 102.26 Responses to requests for access to records. (a) Acknowledgements of requests. On receipt of a request, an office shall send an acknowledgement letter to the requester. (b) Grants of requests for access. Once an office makes a determination to grant a request for access in whole or in part, it shall notify the requester in writing. The Program/Support Office Head or designee shall inform the requester in the notice of any fee charged under Sec. 102.31 and shall disclose records to the requester promptly on payment of any applicable fee. If a request is made in person, the office may disclose records to the requester directly, in a manner not unreasonably disruptive of its operations, on payment of any applicable fee and with a written record made of the grant of the request. If a requester is accompanied by another person, he or she shall be required to authorize in writing any discussion of the records in the presence of the other person. (c) Adverse determinations of requests for access. A Program/ Support Office Head or designee making an adverse determination denying a request for access in any respect shall notify the requester of that determination in writing. Adverse determinations, or denials of requests, consist of: a determination to withhold any requested record in whole or in part; a determination that a requested record does not exist or cannot be located; a determination that the requested information is not a record subject to the Privacy Act; a determination on any disputed fee matter; and a denial of a request for expedited treatment. The notification letter shall be signed by the Program/ Support Office Head or designee, and shall include: (1) The name and title or position of the person responsible for the denial; (2) A brief statement of the reason(s) for the denial, including any FOIA or Privacy Act exemption(s) applied in denying the request; and (3) A statement that the denial may be appealed under Sec. 102.27(a) and a description of the requirements of Sec. 102.27(a). [[Page 17372]] Sec. 102.27 Appeals from denials of requests for access to records. (a) Appeals. If the requester is dissatisfied with an office's response to his or her request for access to records, the requester may make a written appeal of the adverse determination denying the request in any respect to the SBA's FOI/PA Office, 409 3rd St., SW., Washington, DC 20416. The appeal must be received by the FOI/PA Office within 60 days of the date of the letter denying the request. The requester's appeal letter should include as much information as possible, including the identity of the office whose adverse determination is being appealed. Unless otherwise directed, the Chief, FOI/PA will decide all appeals under this subpart. (b) Responses to appeals. The decision on a requester's appeal will be made in writing not later than 30 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such appeal. A decision affirming an adverse determination in whole or in part will include a brief statement of the reason(s) for the affirmation, including any Privacy Act exemption applied, and will inform the requester of the Privacy Act provisions for court review of the decision. If the adverse determination is reversed or modified on appeal in whole or in part, the requester will be notified in a written decision and his request will be reprocessed in accordance with that appeal decision. (c) Judicial review. In order to seek judicial review by a court of any adverse determination or denial of a request, a requester must first appeal it to the FOI/PA Office under this section. Sec. 102.28 Requests for amendment or correction of records. (a) How made and addressed. Unless the record is not subject to amendment or correction as stated in paragraph (f) of this section, an individual may make a request for amendment or correction of an SBA record about himself or herself by writing directly to the office that maintains the record, following the procedures in Sec. 102.24. The request should identify each particular record in question, state the amendment or correction sought, and state why the record is not accurate, relevant, timely, or complete. The requester may submit any documentation that he or she thinks would be helpful. If the requester believes that the same record is in more than one system of records, that should be stated and the request should be sent to each office that maintains a system of records containing the record. (b) Office responses. Within ten (10) days (excluding Saturdays, Sundays, and legal public holidays) of receiving a request for amendment or correction of records, an office shall send the requester a written acknowledgment of receipt, and the office shall notify the requester within 30 days (excluding Saturdays, Sundays, and legal public holidays) of receipt of the request whether it is granted or denied. If the Program/Support Office Head or designee grants the request in whole or in part, the amendment or correction must be made, and the requester advised of his or her right to obtain a copy of the corrected or amended record. If the office denies a request in whole or in part, it shall send the requester a letter signed by the Program/ Support Office Head or designee that shall state: (1) The reason(s) for the denial; and (2) The procedure for appeal of the denial under paragraph (c) of this section, including the name and business address of the official who will act on your appeal. (c) Appeals. An individual may appeal a denial of a request for amendment or correction to the FOI/PA Office in the same manner as a denial of a request for access to records (see Sec. 102.27), and the same procedures shall be followed. If the appeal is denied, the requester shall be advised of his or her right to file a Statement of Disagreement as described in paragraph (d) of this section and of his or her right under the Privacy Act for court review of the decision. (d) Statement of Disagreement. If an appeal under this section is denied in whole or in part, the requester has the right to file a Statement of Disagreement that states the reason(s) for disagreeing with the SBA's denial of his or her request for amendment or correction. A Statement of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. An individual's Statement of Disagreement must be sent to the office that maintains the record involved, which shall place it in the system of records in which the disputed record is maintained and shall mark the disputed record to indicate that a Statement of Disagreement has been filed and where in the system of records it may be found. (e) Notification of amendment/correction or disagreement. Within 30 days (excluding Saturdays, Sundays, and legal public holidays) of the amendment or correction of a record, the office that maintains the record shall notify all persons, organizations, or agencies to which it previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. If an individual has filed a Statement of Disagreement, the office shall append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request to amend or correct the record. (f) Records not subject to amendment or correction. The following records are not subject to amendment or correction: (1) Transcripts of testimony given under oath or written statements made under oath; (2) Transcripts of grand jury proceedings, judicial proceedings, or quasi-judicial proceedings, which are the official record of those proceedings; (3) Pre-sentence records that originated with the courts; and (4) Records in systems of records that have been exempted from amendment and correction under Privacy Act, 5 U.S.C. 552a (j) or (k) by notice published in the Federal Register. Sec. 102.29 Requests for an accounting of record disclosures. (a) How made and addressed. Except where accountings of disclosures are not required to be kept (as stated in paragraph (b) of this section), an individual may make a request for an accounting of any disclosure that has been made by the SBA to another person, organization, or agency of any record in a system of records about him or her. This accounting contains the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. The request for an accounting should identify each particular record in question and should be made by writing directly to the SBA office that maintains the record, following the procedures in Sec. 102.24. (b) Where accountings are not required. Offices are not required to provide accountings where they relate to: (1) Disclosures for which accountings are not required to be kept; disclosures that are made to employees within the SBA and disclosures that are made under the FOIA; (2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the civil or criminal law enforcement activities for which the disclosures are sought; or [[Page 17373]] (3) Disclosures made from law enforcement systems of records that have been exempted from accounting requirements under Privacy Act, 5 U.S.C. 552a(j) or (k) by notice published in the Federal Register. (c) Appeals. An individual may appeal a denial of a request for an accounting to the FOI/PA Office in the same manner as a denial of a request for access to records (see Sec. 102.27), and the same procedures will be followed. Sec. 102.30 Preservation of records. Each office will preserve all correspondence pertaining to the requests that it receives under this subpart, as well as copies of all requested records, until disposition or destruction is authorized by title 44 of the United States Code or the National Archives and Records Administration's General Records Schedule 14. Records will not be disposed of while they are the subject of a pending request, appeal, or lawsuit under the Privacy Act. Sec. 102.31 Fees. SBA offices shall charge fees for duplication of records under the Privacy Act in the same way in which they charge duplication fees under Sec. 102.6(b)(3). No search or review fee may be charged for any record unless the record has been exempted from access under Exemptions (j)(2) or (k)(2) of the Privacy Act. SBA will waive fees under $25.00. Sec. 102.32 Notice of court-ordered and emergency disclosures. (a) Court-ordered disclosures. When a record pertaining to an individual is required to be disclosed by order of a court of competent jurisdiction, the office that maintains the record shall make reasonable efforts to provide notice of this to the individual. Notice shall be given within a reasonable time after the office's receipt of the order, except that in a case in which the order is not a matter of public record, the notice shall be given only after the order becomes public. This notice shall be mailed to the individual's last known address and shall contain a copy of the order and a description of the information disclosed. Notice shall not be given if disclosure is made from a criminal law enforcement system of records that has been exempted from the notice requirement. (b) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting health or safety, the office shall notify that individual of the disclosure. This notice shall be mailed to the individual's last known address and shall state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying the disclosure. Sec. 102.33 Security of systems of records. (a) Each Program/Support Office Head or designee shall establish administrative and physical controls to prevent unauthorized access to its systems of records, to prevent unauthorized disclosure of records, and to prevent physical damage to or destruction of records. The stringency of these controls shall correspond to the sensitivity of the records that the controls protect. At a minimum, each office's administrative and physical controls shall ensure that: (1) Records are protected from public view; (2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them; (3) Records are inaccessible to unauthorized persons outside of business hours; and (4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form. (b) Each Program/Support Office Head or designee shall establish procedures that restrict access to records to only those individuals within the SBA who must have access to those records in order to perform their duties and that prevent inadvertent disclosure of records. (c) The OCIO shall provide SBA offices with guidance and assistance for privacy and security of electronic systems and compliance with pertinent laws and requirements. Sec. 102.34 Contracts for the operation of record systems. When SBA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record affected, are considered to be maintained by the SBA, and subject to this subpart. The SBA is responsible for applying the requirements of this subpart to the contractor. The contractor and its employees are to be considered employees of the SBA for purposes of the sanction provisions of the Privacy Act during performance of the contract. Sec. 102.35 Use and collection of Social Security Numbers. Each Program/Support Office Head or designee shall ensure that collection and use of SSN is performed only when the functionality of the system is dependant on use of the SSN as an identifier. Employees authorized to collect information must be aware: (a) That individuals may not be denied any right, benefit, or privilege as a result of refusing to provide their social security numbers, unless: (1) The collection is authorized either by a statute; or (2) The social security numbers are required under statute or regulation adopted prior to 1975 to verify the identity of an individual; and (b) That individuals requested to provide their social security numbers must be informed of: (1) Whether providing social security numbers is mandatory or voluntary; (2) Any statutory or regulatory authority that authorizes the collection of social security numbers; and (3) The uses that will be made of the numbers. Sec. 102.36 Privacy Act standards of conduct. Each Program/Support Office Head or designee shall inform its employees of the provisions of the Privacy Act, including its civil liability and criminal penalty provisions. Unless otherwise permitted by law, an employee of the SBA shall: (a) Collect from individuals only the information that is relevant and necessary to discharge the responsibilities of the SBA; (b) Collect information about an individual directly from that individual whenever practicable; (c) Inform each individual from whom information is collected of: (1) The legal authority to collect the information and whether providing it is mandatory or voluntary; (2) The principal purpose for which the SBA intends to use the information; (3) The routine uses the SBA may make of the information; and (4) The effects on the individual, if any, of not providing the information; (d) Ensure that the office maintains no system of records without public notice and that it notifies appropriate SBA officials of the existence or development of any system of records that is not the subject of a current or planned public notice; (e) Maintain all records that are used by the SBA in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination; (f) Except as to disclosures made to an agency or made under the FOIA, make reasonable efforts, prior to [[Page 17374]] disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete; (g) Maintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity; (h) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by the SBA to persons, organizations, or agencies; (i) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone; and (j) Notify the appropriate SBA official of any record that contains information that the Privacy Act does not permit the SBA to maintain. Sec. 102.37 Training requirements. All employees should attend privacy training within one year of employment with SBA. All employees with Privacy Act responsibilities must attend Privacy Act training, whenever needed, that is offered by the SBA. Sec. 102.38 Other rights and services. Nothing in this subpart shall be construed to entitle any person, as a right, to any service or to the disclosure of any record to which such person is not entitled under the Privacy Act. Sec. 102.39 SBA's exempt Privacy Act systems of records. (a) Systems of records subject to investigatory material exemption under 5 U.S.C. 552a(k)(2), or 5 U.S.C. 552a(k)(5) or both: (1) Office of Inspector General Records Other Than Investigation Records--SBA 4, contains records pertaining to audits, evaluations, and other non-audit services performed by the OIG; (2) Equal Employment Opportunity Complaint Cases--SBA 13, contains complaint files, Equal Employment Opportunity counselor's reports, investigation materials, notes, reports, and recommendations; (3) Investigative Files--SBA 16, contains records gathered by the OIG in the investigation of allegations that are within the jurisdiction of the OIG; (4) Investigations Division Management Information System--SBA 17, contains records gathered or created during preparation for, conduct of, and follow-up on investigations conducted by the OIG, the Federal Bureau of Investigation (FBI), and other Federal, State, local, or foreign regulatory or law enforcement agency; (5) Litigation and Claims Files--SBA 19, contains records relating to recipients classified as ``in litigation'' and all individuals involved in claims by or against the Agency; (6) Personnel Security Files--SBA 24, contains records on active and inactive personnel security files, employee or former employee's name, background information, personnel actions, OPM, and/or authorized contracting firm background investigations; (7) Security and Investigations Files--SBA 27, contains records gathered or created during preparation for, conduct of, and follow-up on investigations conducted by OIG, the FBI, and other Federal, State, local, or foreign regulatory or law enforcement agencies as well as other material submitted to or gathered by OIG in furtherance of its investigative function; and (8) Standards of Conduct Files--SBA 29, contains records on confidential employment and financial statements of employees Grade 13 and above. (b) These systems of records are exempt from the following provisions of the Privacy Act and all regulations in this part promulgated under these provisions: (1) 552a(c)(3) (Accounting of Certain Disclosures); (2) 552a(d) (Access to Records); (3) 552a(e)(1), 4G, H, and I (Agency Requirements); and (4) 552a(f) (Agency Rules). (c) The systems of records described in paragraph (a) of this section are exempt from the provisions of the Privacy Act described in paragraph (b) of this section in order to: (1) Prevent the subject of investigations from frustrating the investigatory process; (2) Protect investigatory material compiled for law enforcement purposes; (3) Fulfill commitments made to protect the confidentiality of sources and to maintain access to necessary sources of information; or (4) Prevent interference with law enforcement proceedings. (d) In addition to the foregoing exemptions in paragraphs (a) through (c) of this section, the systems of records described in paragraph (a) of this section numbered SBA 4, 16, 17, 24, and 27 are exempt from the Privacy Act except for subsections (b), (c)(1) and (2), (e)(4)(A) through F, (e)(6), (7), (9), (10) and (11) and (i) to the extent that they contain: (1) Information compiled to identify individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, confinement, release, and parole and probation status; (2) Information, including reports of informants and investigators, associated with an identifiable individual compiled to investigate criminal activity; or (3) Reports compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision associated with an identifiable individual. (e) The systems of records described in paragraph (d) of this section are exempt from the Privacy Act to the extent described in that paragraph because they are records maintained by the Investigations Division of the OIG, which is a component of SBA which performs as its principal function activities pertaining to the enforcement of criminal laws within the meaning of 5 U.S.C. 552a(j)(2). They are exempt in order to: (1) Prevent the subjects of OIG investigations from using the Privacy Act to frustrate the investigative process; (2) Protect the identity of Federal employees who furnish a complaint or information to the OIG, consistent with section 7(b) of the Inspector General Act of 1978, 5 U.S.C. app. 3; (3) Protect the confidentiality of other sources of information; (4) Avoid endangering confidential sources and law enforcement personnel; (5) Prevent interference with law enforcement proceedings; (6) Assure access to sources of confidential information, including that contained in Federal, State, and local criminal law enforcement information systems; (7) Prevent the disclosure of investigative techniques; or (8) Prevent the disclosure of classified information. Sec. 102.40 Computer matching. The OCIO will enforce the computer matching provisions of the Privacy Act. The FOI/PA Office will review and concur on all computer matching agreements prior to their activation and/or renewal. (a) Matching agreements. SBA will comply with the Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a(o), 552a notes) . The Privacy Protection Act establishes procedures Federal agencies must use if they want to match their computer lists. SBA shall not disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement [[Page 17375]] between SBA and the recipient agency or non-Federal agency specifying: (1) The purpose and legal authority for conducting the program; (2) The justification for the purpose and the anticipated results, including a specific estimate of any savings; (3) A description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program; (4) Procedures for providing individualized notice at the time of application, and periodically thereafter as directed by the Data Integrity Board, that any information provided by any of the above may be subject to verification through matching programs to: (i) Applicants for and recipients of financial assistance or payments under Federal benefit programs, and (ii) Applicants for and holders of positions as Federal personnel. (5) Procedures for verifying information produced in such matching program as required by paragraph (c) of this section. (6) Procedures for the retention and timely destruction of identifiable records created by a recipient agency or non-Federal agency in such matching program; (7) Procedures for ensuring the administrative, technical, and physical security of the records matched and the results of such programs; (8) Prohibitions on duplication and redisclosure of records provided by SBA within or outside the recipient agency or non-Federal agency, except where required by law or essential to the conduct of the matching program; (9) Procedures governing the use by a recipient agency or non- Federal agency of records provided in a matching program by SBA, including procedures governing return of the records to SBA or destruction of records used in such programs; (10) Information on assessments that have been made on the accuracy of the records that will be used in such matching programs; and (11) That the Comptroller General may have access to all records of a recipient agency or non-Federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement. (b) Agreement specifications. A copy of each agreement entered into pursuant to paragraph (a) of this section shall be transmitted to OMB, the Committee on Governmental Affairs of the Senate and the Committee on Governmental Operations of the House of Representatives and be available upon request to the public. (1) No such agreement shall be effective until 30 days after the date on which a copy is transmitted. (2) Such an agreement shall remain in effect only for such period, not to exceed 18 months, as the Data Integrity Board determines is appropriate in light of the purposes, and length of time necessary for the conduct, of the matching program. (3) Within three (3) months prior to the expiration of such an agreement, the Data Integrity Board may without additional review, renew the matching agreement for a current, ongoing matching program for not more than one additional year if: (i) Such program will be conducted without any change; and (ii) Each party to the agreement certifies to the Board in writing that the program has been conducted in compliance with the agreement. (c) Verification. In order to protect any individual whose records are used in matching programs, SBA and any recipient agency or non- Federal agency may not suspend, terminate, reduce, or make a final denial of any financial assistance or payment under the Federal benefit program to such individual, or take other adverse action against such individual as a result of information produced by such matching programs until such information has been independently verified. (1) Independent verification requires independent investigation and confirmation of any information used as a basis for an adverse action against an individual including, where applicable: (i) The amount of the asset or income involved, (ii) Whether such individual actually has or had access to such asset or income or such individual's own use, and (iii) The period or periods when the individual actually had such asset or income. (2) SBA and any recipient agency or non-Federal agency may not suspend, terminate, reduce, or make a final denial of any financial assistance or payment under a Federal benefit program, or take other adverse action as a result of information produced by a matching program, (i) Unless such individual has received notice from such agency containing a statement of its findings and information of the opportunity to contest such findings, and (ii) Until the subsequent expiration of any notice period provided by the program's governing statute or regulations, or 30 days. Such opportunity to contest may be satisfied by notice, hearing, and appeal rights governing such Federal benefit program. The exercise of any such rights shall not affect rights available under the Privacy Act. (3) SBA may take any appropriate action otherwise prohibited by the above if SBA determines that the public health or safety may be adversely affected or significantly threatened during the notice period required by paragraph (c)(2)(ii) of this section. (d) Sanctions. Notwithstanding any other provision of law, SBA may not disclose any record which is contained in a system of records to a recipient agency or non-Federal agency for a matching program if SBA has reason to believe that the requirements of paragraph (c) of this section, or any matching agreement entered into pursuant to paragraph (b) of this section or both, are not being met by such recipient agency. (1) SBA shall not renew a matching agreement unless, (i) The recipient agency or non-Federal agency has certified that it has complied with the provisions of that agreement; and (ii) SBA has no reason to believe that the certification is inaccurate. (e) Review annually each ongoing matching program in which the Agency has participated during the year, either as a source or as a matching agency in order to assure that the requirements of the Privacy Act, OMB guidance, and any Agency regulations and standard operating procedures, operating instructions, or guidelines have been met. (f) Data Integrity Board. SBA shall establish a Data Integrity Board (Board) to oversee and coordinate the implementation of the matching program. The Board shall consist of the senior officials designated by the Administrator, to include the Inspector General (who shall not serve as chairman), and the Senior Agency Official for Privacy. The Board shall: (1) Review, approve and maintain all written agreements for receipt or disclosure of Agency records for matching programs to ensure compliance with paragraph (a) of this section and with all relevant statutes, regulations, and guidance; (2) Review all matching programs in which SBA has participated during the year, determine compliance with applicable laws, regulations, guidelines, and Agency agreements, and assess the costs and benefits of such programs; (3) Review all recurring matching programs in which SBA has participated [[Page 17376]] during the year, for continued justification for such disclosures; (4) At the instruction of OMB, compile a report to be submitted to the Administrator and OMB, and made available to the public on request, describing the matching activities of SBA, including, (i) Matching programs in which SBA has participated; (ii) Matching agreements proposed that were disapproved by the Board; (iii) Any changes in membership or structure of the Board in the preceding year; (iv) The reasons for any waiver of the requirement described below for completion and submission of a cost-benefit analysis prior to the approval of a matching program; (v) Any violations of matching agreements that have been alleged or identified and any corrective action taken; and (vi) Any other information required by OMB to be included in such report; (5) Serve as clearinghouse for receiving and providing information on the accuracy, completeness, and reliability of records used in matching programs; (6) Provide interpretation and guidance to SBA offices and personnel on the requirements for matching programs; (7) Review Agency recordkeeping and disposal policies and practices for matching programs to assure compliance with the Privacy Act; and (8) May review and report on any SBA matching activities that are not matching programs. (g) Cost-benefit analysis. Except as provided in paragraphs (e)(2) and (3) of this section, the Data Integrity Board shall not approve any written agreement for a matching program unless SBA has completed and submitted to such Board a cost-benefit analysis of the proposed program and such analysis demonstrates that the program is likely to be cost effective. The Board may waive these requirements if it determines, in writing, and in accordance with OMB guidelines, that a cost-benefit analysis is not required. Such an analysis also shall not be required prior to the initial approval of a written agreement for a matching program that is specifically required by statute. (h) Disapp