Regulations Implementing the Privacy Act of 1974, 42785-42794 [E6-12124]

Agencies

• Occupational Safety and Health Review Commission

[Federal Register Volume 71, Number 145 (Friday, July 28, 2006)]
[Proposed Rules]
[Pages 42785-42794]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E6-12124]


=======================================================================
-----------------------------------------------------------------------

OCCUPATIONAL SAFETY AND HEALTH REVIEW COMMISSION

29 CFR Part 2400


Regulations Implementing the Privacy Act of 1974

AGENCY: Occupational Safety and Health Review Commission.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Occupational Safety and Health Review Commission (OSHRC) 
is proposing to amend its regulations implementing the Privacy Act of 
1974, 5 U.S.C. 552a, as amended. The Privacy Act has been amended 
multiple times since OSHRC first promulgated its regulations in 1979. 
The proposed amendments to OSHRC's regulations at 29 CFR part 2400 will 
assist the agency in complying with the requirements of the Privacy 
Act.

DATES: Comments must be received by OSHRC on or before August 28, 2006.

ADDRESSES: You may submit comments by any of the following methods:
     E-mail: regsdocket@oshrc.gov. Include ``PRIVACY ACT 
PROPOSED RULEMAKING'' in the subject line of the message.
     Fax: (202) 606-5417.
     Mail: One Lafayette Centre, 1120-20th Street, NW., Ninth 
Floor, Washington, DC 20036-3457.
     Hand Delivery/Courier: Same as mailing address.
    Instructions: All submissions must include your name, return 
address and e-mail address, if applicable. Please clearly label 
submissions as ``PRIVACY ACT PROPOSED RULEMAKING.'' If you submit 
comments by e-mail, you will receive an automatic confirmation e-mail 
from the system indicating that we have received your submission. If, 
in response to your comment submitted via e-mail, you do not receive a 
confirmation e-mail within five working days, contact us directly at 
(202) 606-5410.

FOR FURTHER INFORMATION CONTACT: Ron Bailey, Attorney-Advisor, Office 
of the General Counsel, via telephone at (202) 606-5410, or via e-mail 
at rbailey@oshrc.gov.

SUPPLEMENTARY INFORMATION: OSHRC's regulations implementing the Privacy 
Act of 1974 were first promulgated on January 19, 1979, 44 FR 3968. 
These regulations have not been revised, except for changes made to the 
office address referenced in Sec. Sec.  2400.6 and 2400.7, 58 FR 26065, 
April 30, 1993. Since 1979, however, the Privacy Act has been amended 
on numerous occasions. As explained below, these statutory changes, 
along with intervening case law, compel OSHRC to propose various 
amendments to its regulations. Because OSHRC proposes extensive 
revisions to its existing regulations implementing the Privacy Act, 
OSHRC has reproduced, for the convenience of the reader, the revised 
regulations to 29 CFR part 2400 in their entirety in its proposed 
rulemaking.
    The specific amendments that OSHRC proposes include the following 
changes which are discussed in regulatory sequence.
    OSHRC proposes amending its authority citation to exclude all 
references to popular names and statutes at large. The Office of the 
Federal Register has expressed a preference for citing only to the 
United States Code when referencing a Federal statute.
    In Sec.  2400.1 (Purpose and scope), OSHRC proposes making several 
changes to clarify what 29 CFR part 2400 covers. In accordance with the 
amendments to the Privacy Act contained in section 2(b), Public Law 97-
365 (5 U.S.C. 552a(m)(2)), OSHRC proposes amending Sec.  2400.1 to 
reflect that part 2400 no longer covers systems of records ``that are 
disclosed to consumer reporting agencies under [section] 3711(e) of 
title 31, United States Code.'' Additionally, OSHRC proposes amending 
Sec.  2400.1 to reflect that part 2400 applies only to ``records that 
are maintained by [OSHRC].'' Presently, Sec.  2400.1 states that 
OSHRC's Privacy Act regulations ``are applicable only to such items of 
information as relate to the agency or are within its custody.'' 
However, the term ``record'' is defined in the Privacy Act at 5 U.S.C. 
552a(a)(4) while the term ``items of information'' is not. Therefore, 
amending Sec.  2400.1 to substitute ``record'' for ``items of 
information'' would more appropriately limit the purpose and scope of 
the regulations in accordance with the statute. OSHRC also proposes 
deleting the last sentence of Sec.  2400.1, which states ``[t]his part 
is intended to protect individual privacy, and affects all personal 
information collection and usage activity of the agency,'' because it 
is overly broad. Based on these proposed amendments, new Sec.  2400.1 
would read as follows:

    The purpose of the provisions of this part is to provide 
procedures to implement the Privacy Act of 1974 (5 U.S.C. 552a). 
This part is applicable only to records that are maintained by the 
Occupational Safety and Health Review Commission (OSHRC or the 
Commission), which includes all systems of records operated on 
behalf of OSHRC, pursuant to a contract, to accomplish an agency 
function, except for records that are disclosed to consumer 
reporting agencies under section 3711(e) of title 31, United States 
Code. This part is not applicable to the rights of parties appearing 
in adversary proceedings before the Commission to obtain discovery 
from an adverse party. Such matters are governed by the Commission's 
Rules of Procedure, which are published at 29 CFR 2200.1 et seq.

Revising Sec.  2400.1 in this manner would incorporate a statutory 
change to the Privacy Act, as well as clarify the proper scope of the 
agency's regulations under this Part.
    In Sec.  2400.2 (Description of agency), OSHRC proposes adding a 
sentence to the end of the section that provides additional details 
about the designation of one of the Commissioners as the Chairman and 
his responsibilities for the administrative operations of the

[[Page 42786]]

Commission, consistent with section 12(e) of the Occupational Safety 
and Health Act of 1970, 29 U.S.C. 661(e). OSHRC also proposes a simple 
change in nomenclature by deleting ``Occupational Safety and Health 
Review Commission'' and replacing it with ``The Commission.'' The 
agency's full name would first be noted in revised Sec.  2400.1 based 
on the amendments to that section discussed above.
    OSHRC proposes amending several items in Sec.  2400.3 (Delegation 
of authority). In paragraph (a) of Sec.  2400.3, OSHRC proposes revised 
language providing that ``[t]he Chairman shall designate an OSHRC 
employee as the Privacy Officer, and shall delegate to the Privacy 
Officer the authority to insure agency-wide compliance with this 
part.'' In the current version of paragraph (a), this authority is 
delegated to the Executive Director. In recent years, the Office of 
Management and Budget (OMB) has issued various guidance memoranda 
regarding the responsibilities of executive departments and agencies on 
privacy matters, including Safeguarding Personally Identifiable 
Information, OMB-06-15 (May 22, 2006); Designation of Senior Agency 
Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005); and OMB 
Guidance for Implementing the Privacy Provision of the E-Government Act 
of 2002, OMB Memorandum M-03-22 (Sept. 30, 2003). By creating the 
position of Privacy Officer and providing this individual with the 
authority to handle Privacy Act matters, OSHRC would be better able to 
respond to future changes in requirements and subsequent guidance in 
the privacy arena.
    In paragraph (b) of Sec.  2400.3, OSHRC proposes replacing the term 
``[c]ustodians'' with the more specific term ``[c]ustodians of the 
systems of records'' in order to better define those persons covered by 
paragraph (b). In accordance with the changes proposed to Sec.  
2400.3(a), OSHRC would also replace the term ``Executive Director'' 
with ``Privacy Officer.'' OSHRC further proposes to break out existing 
paragraph (b) into paragraphs (b)(1) and (b)(2) and to add a new 
paragraph (b)(3) in order to highlight the various duties of the 
custodians of the systems of records. Specifically, OSHRC proposes to 
reformat paragraph (b) by turning the first and second sentences of the 
current paragraph (b) into new paragraphs (b)(1) and (b)(2), 
respectively. OSHRC proposes making several grammatical changes in new 
paragraph (b)(1) by transforming the words ``adherence,'' 
``collection,'' ``use,'' and ``disclosure'' into present participles. 
OSHRC also proposes to replace (1) the word ``information'' and the 
phrase ``personal information'' with the word ``records,'' and (2) the 
phrase ``personal records systems'' with the phrase ``systems of 
records.'' Because the terms ``record'' and ``system of records'' are 
defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), use of these 
terms would better delineate the scope of revised paragraph (b). OSHRC 
then proposes adding a new paragraph (b)(3), which would make the 
custodians of the systems of records responsible for maintaining an 
accurate accounting of each disclosure in conformance with Sec.  
2400.4(d) and its statutory counterpart in the Privacy Act at 5 U.S.C. 
552a(c). Although Sec.  2400.4(d) presently requires that ``[a]n 
accurate accounting of each disclosure'' be maintained, the current 
regulations do not specify who is responsible for complying with this 
provision. OSHRC believes, however, that custodians of the systems of 
records are best suited to maintain an accounting of each disclosure 
because they have the most interaction with the systems of records and 
are usually involved in processing the requests for records.
    With regard to Sec.  2400.4 (Collection and disclosure of personal 
information), OSHRC proposes making several structural and substantive 
changes, as well as some minor changes in wording. In paragraph 
(a)(1)(i) of Sec.  2400.4, OSHRC proposes adding the phrase ``in its 
records'' after ``[s]olicit, collect and maintain'' to clarify that 
OSHRC's responsibilities under this provision only extend to 
information that is maintained in a record. OSHRC also proposes adding 
a new paragraph (a)(1)(ii) that lists the responsibilities set forth in 
5 U.S.C. 552a(e)(5), which requires each agency to--

    Maintain all records which are used by the agency in making any 
determination about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to assure 
fairness to the individual in the determination.

    While this provision has always been in the Privacy Act, it was 
never incorporated into OSHRC's regulations. With the addition of new 
paragraph (a)(1)(ii), Sec.  2400.4(a)(1) would better reflect OSHRC's 
responsibilities under the Privacy Act. OSHRC then proposes to renumber 
current paragraphs (a)(1)(ii) and (iii) as new paragraphs (a)(1)(iii) 
and (iv). In order to better track the statutory language of 5 U.S.C. 
552a(e)(2), OSHRC further proposes adding the phrase ``under Federal 
programs'' after ``benefits or privileges'' in the newly renumbered 
paragraph (a)(1)(iii). Finally, OSHRC proposes a minor change by 
deleting ``the'' before ``OSHRC'' in new paragraph (a)(1)(iv).
    OSHRC proposes no changes to paragraph (a)(2), however, in 
paragraph (a)(3) of Sec.  2400.4, OSHRC proposes replacing the word 
``information'' with ``record'' because the term ``record'' is defined 
in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term 
``information'' is not. Amending paragraph (a)(3) in this manner would 
better define this paragraph's scope. OSHRC also proposes adding the 
phrase ``or maintenance of the record'' after ``collection'' to clarify 
that all of the requirements and exceptions in the paragraph apply to 
both the collection and maintenance of records. Finally, OSHRC proposes 
amending paragraph (a)(3) to include language excluding records that 
are ``pertinent to and within the scope of an authorized law 
enforcement activity'' in accordance with 5 U.S.C. 552a(e)(7). We 
propose no changes to Sec.  2400.4(a)(4).
    OSHRC proposes making structural and substantive changes to 
paragraphs (b)(1) and (b)(2) of Sec.  2400.4. Specifically, OSHRC 
proposes amending paragraph (b)(1) to incorporate the opening statutory 
language contained in 5 U.S.C. 552a(b). The revised paragraph (b)(1) 
would thus read:

    OSHRC shall not disclose any record which is contained in a 
system of records by any means of communication to any person, or to 
another agency, except pursuant to a written request by, or with the 
prior written consent of, the individual to whom the record 
pertains.

    The current regulation at Sec.  2400.4(b)(1) regarding disclosures-
which, in part, prevents OSHRC from disseminating records ``unless 
reasonable efforts have been made to assure that the information is 
accurate, complete, timely and relevant''--could be construed as 
applying to Freedom of Information Act (FOIA) requests. Under 5 U.S.C. 
552a(e)(6), however, agency responses to FOIA requests are specifically 
exempted from the Privacy Act requirement that agencies must make 
reasonable efforts to ensure, when disclosing records about an 
individual to any person, that such records are accurate, complete, 
timely, and relevant. This exemption makes sense because the purpose of 
a FOIA request may be, for example, to gather information that reflects 
an agency's propensity for maintaining inaccurate records. 
Consequently, it would not be appropriate to require that such records 
requested under the FOIA be examined in this manner under the Privacy 
Act. Thus, in order to eliminate such an interpretation, OSHRC proposes

[[Page 42787]]

amending paragraph (b)(1) in the aforementioned manner, amending 
paragraph (b)(2) to list exceptions to revised paragraph (b)(1), and 
adding new paragraph (b)(5) which would define when records should be 
``accurate, complete, timely and relevant.''
    As to paragraph (b)(2) of Sec.  2400.4, OSHRC proposes the 
following changes. First, in order to reflect that revised paragraph 
(b)(2) lists exceptions to the rule set forth in revised paragraph 
(b)(1), OSHRC proposes revising the opening clause to read, 
``Exceptions: A record may be disseminated without satisfying the 
requirements of paragraph (b)(1) of this section if disclosure is made: 
* * *'' Second, OSHRC proposes replacing the word ``information'' with 
``record'' in paragraphs (b)(2)(ii) and (b)(2)(iv), because the term 
``record'' is defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while 
the term ``information'' is not. Third, in paragraph (b)(2)(iv), OSHRC 
proposes adding the words ``OSHRC with'' between ``provided'' and 
``adequate advance written assurance'' in order to clarify that notice 
must be provided to OSHRC. In that paragraph, OSHRC also proposes 
replacing the phrase ``individually identifiable'' with ``personally 
identifiable'' because this is a term of art used in the privacy field. 
Fourth, OSHRC proposes a change in nomenclature by spelling out 
``United States'' in paragraph (b)(2)(v) and deleting ``the'' before 
``OSHRC'' in paragraph (b)(2)(viii). Fifth, in accordance with the 
amendments to the Privacy Act contained in section 107(g)(1), Public 
Law 98-497 (5 U.S.C. 552a(b)(6)), OSHRC proposes modifying, in 
paragraph (b)(2)(vi), ``National Archives of the United States'' to 
read ``National Archives and Records Administration,'' and 
``Administrator of General Services'' to read ``Archivist of the United 
States or the designee of the Archivist.'' Sixth, OSHRC proposes 
modifying, in paragraph (b)(2)(viii), ``Federal agency'' to read 
``another agency.'' This revision better tracks the statutory language 
at 5 U.S.C. 552a(b)(7) and makes clear that the records can be 
disclosed to federal, state, or local agencies. In this regard, OMB 
states in its guidelines, 40 FR 28948, 28955, July 9, 1975, that in 
addition to providing for disclosures to federal law enforcement 
agencies, section 552a(b)(7) allows an agency, ``upon receipt of a 
written request, [to] disclose a record to another agency or unit of 
State or local government for a civil or criminal law enforcement 
activity.'' Seventh, in order to better track the language of 5 U.S.C. 
552a(b)(9), OSHRC proposes modifying paragraph (b)(2)(ix) of Sec.  
2400.4 to read, ``To either House of Congress, or, to the extent of 
matter within its jurisdiction, any committee or subcommittee thereof, 
or any joint committee of Congress or subcommittee of any such joint 
committee.'' Eighth, in accordance with the GAO Human Capital Reform 
Act of 2004, Public Law 108-271, 118 Stat. 811, OSHRC proposes 
modifying, in paragraph (b)(2)(x), ``General Accounting Office'' to 
read ``Government Accountability Office.'' Finally, OSHRC proposes 
adding a new paragraph (b)(2)(xii) which, in accordance with the 
amendments to the Privacy Act contained in section 2(a), Public Law 97-
365 (5 U.S.C. 552a(b)(12)), would permit disclosures ``[t]o a consumer 
reporting agency in accordance with section 3711(e) of title 31, United 
States Code.''
    OSHRC further proposes some minor changes, such as capitalizing 
``Service'' in paragraph (b)(3) and revising ``Sec.  2400.4(b)(3) 
above'' to read ``paragraph (b)(3) of this section'' in paragraph 
(b)(4). In paragraph (b)(3), OSHRC also proposes changing ``The 
Personnel Office'' to ``OSHRC's Office of Administration'' based on the 
agency's recent reorganization.
    OSHRC next proposes adding new paragraphs (b)(5) and (b)(6) to 
Sec.  2400.4, which would essentially incorporate the statutory 
language of 5 U.S.C. 552a(e)(6) and (d)(5), respectively. Paragraph 
(b)(5) would read:

    Disclosures to third parties. OSHRC shall not disseminate any 
record about an individual to any person other than an agency unless 
the record is disseminated pursuant to paragraph (b)(2)(i) of this 
section, or reasonable efforts have been made to ensure that the 
record is accurate, complete, timely and relevant.

Paragraph (b)(6) would read:

    Anticipated legal action. Nothing in this section shall allow an 
individual access to any information compiled in reasonable 
anticipation of a civil action or proceeding.

OSHRC believes that these provisions should be added to Sec.  2400.4 in 
order to track the statute and make the regulations comprehensive.
    Additionally, OSHRC proposes moving current Sec.  2400.4(c) and re-
designating it as new Sec.  2400.5(c). Current section 2400.4(c), which 
pertains to notifying certain persons and agencies about corrections 
made to a record, is a better fit for new Sec.  2400.5(c), which 
pertains to ``notification of amendment.'' Proposed modifications to 
the language in the re-designated Sec.  2400.5(c) are discussed below 
in that section.
    In response to the change above, OSHRC proposes re-designating 
paragraph (d) of Sec.  2400.4, which sets forth the procedures for 
maintaining an accounting of disclosures, as new paragraph (c) of Sec.  
2400.4. OSHRC proposes streamlining the language of new paragraph 
(c)(1). Rather than spelling out that the accounting requirements do 
not pertain to instances ``in which disclosure is made to OSHRC 
employees in the performance of their duties or is required by the 
Freedom of Information Act (5 U.S.C. 552), in conformance with section 
552a(c) of the Privacy Act,'' OSHRC proposes simply stating that ``any 
disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this 
section'' is excepted. Also, OSHRC proposes inserting the phrase 
``OSHRC shall maintain'' at the beginning of paragraph (c)(1) to 
emphasize that it is, in fact, OSHRC's responsibility to maintain an 
accurate accounting of certain disclosures. OSHRC further proposes 
adding a new paragraph (c)(2) that lists the information required, in 
accordance with 5 U.S.C. 552a(c)(1), for a proper accounting of each 
disclosure. New paragraph (c)(2) would read as follows:

    When an accounting is required under paragraph (c)(1) of this 
section, the following information shall be recorded: The date, 
nature, and purpose of each disclosure of a record to any person or 
to another agency, and the name and address of the person or agency 
to whom the disclosure is made.

OSHRC proposes renumbering current paragraph (d)(2) as new paragraph 
(c)(3), and modifying the language ``for at least five (5) years or the 
life of the record'' to read ``for at least five (5) years after 
disclosure or for the life of the record'' in order to clearly define 
the length of time that an accounting must be maintained. Finally, 
OSHRC proposes renumbering current paragraph (d)(3) as new paragraph 
(c)(4), adding a cross-reference to ``Sec.  2400.6 for suggested form 
of request,'' and deleting the word ``provision'' because it adds 
nothing to the sentence.
    With regard to Sec.  2400.5 (Notification), OSHRC proposes making 
various changes in substance and nomenclature. In the opening sentence 
of paragraph (a) of Sec.  2400.5, OSHRC proposes modifying the phrase 
``personal records systems'' to read ``systems of records'' because 
only the latter phrase is defined in the Privacy Act at 5 U.S.C. 
552a(a)(5).
    In paragraph (a)(2) of Sec.  2400.5, OSHRC proposes deleting the 
word ``personal'' because the definitions of ``record'' and ``system of 
records'' in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), 
respectively, already reflect that personal identifiable information is 
at issue. In accordance with the amendments to the Privacy Act

[[Page 42788]]

contained in section 201(a), Public Law 97-375 (5 U.S.C. 552a(e)(4)), 
OSHRC also proposes deleting the word ``annually'' from paragraph 
(a)(2) and adding the phrase ``[u]pon establishing or revising a system 
of records.'' Additionally, OSHRC proposes modifying paragraph (a)(2) 
to reflect the data elements that are required by the Office of the 
Federal Register for Privacy Act notices. These fields include: (i) 
System name and location; (ii) security classification; (iii) 
categories of individuals covered by the system; (iv) categories of 
records in the system; (v) authority for maintenance of the system; 
(vi) purpose(s) of the system; (vii) routine uses of records maintained 
in the system, including categories of users and the purpose(s) of such 
uses; (viii) disclosures to consumer reporting agencies; (ix) policies 
and practices for storing, retrieving, accessing, retaining, and 
disposing of records in the system; (x) system manager(s) and address; 
(xi) procedures by which an individual can be informed whether a system 
contains a record pertaining to himself, gain access to such record, 
and contest the content, accuracy, completeness, timeliness, relevance, 
and necessity for retention of the record; (xii) record source 
categories; and (xiii) exemptions claimed for the system. Finally, in 
the opening sentence of paragraph (a)(2) of Sec.  2400.5, OSHRC 
proposes minor grammatical changes, such as inserting ``the'' before 
the words ``existence'' and ``systems.''
    In accordance with the amendments to the Privacy Act contained in 
section 3(b), Public Law 100-503 (5 U.S.C. 552a(r)), OSHRC proposes 
adding a new paragraph (a)(3) to Sec.  2400.5 that sets forth the 
reporting requirements for system-of-records notices. New paragraph 
(a)(3) would read as follows:

    OSHRC shall submit a report, in accordance with guidelines 
provided by the Office of Management and Budget (OMB), in order to 
give advance notice to the Committee on Government Reform of the 
House of Representatives, the Committee on Homeland Security and 
Governmental Affairs of the Senate, and OMB of any proposal to 
establish a new system of records or to significantly change an 
existing system of records.

OSHRC believes it is necessary to add new paragraph (a)(3) to Sec.  
2400.5 in order to provide a comprehensive explanation of the 
notification requirements.
    In paragraph (b) of Sec.  2400.5, OSHRC proposes replacing the 
phrase ``personal information'' with ``record pertaining to the 
individual'' because the term ``record'' is defined in the Privacy Act 
at 5 U.S.C. 552a(a)(4), while the term ``information'' is not.
    OSHRC also proposes substantial changes to paragraph (c) of Sec.  
2400.5. Presently, paragraph (c) states as follows: ``Notification of 
amendment. (See Sec.  2400.7 relating to amendment of records upon 
request.)'' OSHRC proposes deleting this language, and, as discussed 
earlier, inserting the text of current Sec.  2400.4(c), which pertains 
to notifying certain persons and agencies about corrections made to a 
record, and designating it as new paragraph (c)(1) in Sec.  2400.5. 
OSHRC would thus modify the text to read as follows:

    OSHRC shall inform any person or other agency about any 
correction or notation of dispute made by OSHRC to any record that 
has been disclosed to the person or agency, if the correction or 
notation was made pursuant to Sec.  2400.8, and an accounting of the 
disclosure was made pursuant to Sec.  2400.4(c).

The current version of this paragraph states that its requirements 
apply where a ``personal record has been or is to be disclosed.'' 
However, the phrase ``is to be disclosed'' is not included in 5 U.S.C. 
552a(c)(4), the regulation's statutory counterpart. Moreover, from a 
practical standpoint, it would be difficult to notify a person or an 
agency of a correction if the record has not yet been disclosed to that 
person or agency. The remaining changes to new paragraph (c)(1), shown 
above, are based on the statutory text at section 552a(c)(4).
    OSHRC proposes adding a new paragraph (c)(2) to Sec.  2400.5 
setting forth the requirements of 5 U.S.C. 552a(d)(4), which explains 
how agencies are to treat disputed portions of the record. New 
paragraph (c)(2) would read as follows:

    In any disclosure to a person or other agency containing 
information about which the individual has filed a statement of 
disagreement and occurring after the statement was filed, OSHRC 
shall clearly note any portion of the record which is disputed and 
provide copies of the statement and, if OSHRC deems appropriate, 
copies of a concise statement of OSHRC's reasons for not making the 
requested amendments.

OSHRC believes that adding this statutory requirement to Sec.  2400.5 
would help ensure that the rights of those covered by the Privacy Act 
are preserved.
    In accordance with 5 U.S.C. 552a(e)(11), OSHRC proposes amending 
paragraph (d) of Sec.  2400.5 to allow interested persons to ``submit 
written data, views, or arguments to OSHRC'' after a system-of-records 
notice has been published in the Federal Register. OSHRC also proposes 
adding the word ``routine'' before ``use,'' and replacing ``personal 
information'' with ``a system of records'' because, under section 
552a(e)(11), notification is required only for new and revised routine 
uses of systems of records. OSHRC proposes no changes to paragraph (e) 
of Sec.  2400.5.
    With regard to Sec.  2400.6 (Procedures for requesting records), 
OSHRC proposes various substantive and structural changes, as well some 
changes in nomenclature. Throughout Sec.  2400.6, OSHRC proposes 
replacing ``personal information'' with ``record'' because the term 
``record'' is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and the 
term ``information'' is not. OSHRC also proposes a change in 
nomenclature by replacing ``Executive Director,'' ``responsible 
official,'' and ``disclosure officer'' with ``Privacy Officer'' in 
accordance with the proposed changes to Sec.  2400.3(a).
    In the opening sentence of Sec.  2400.6, OSHRC proposes a change in 
wording by replacing the word ``have'' with ``gain.'' OSHRC also 
proposes deleting the phrase ``within a comprehensive format'' as 
unnecessary.
    In paragraph (a)(1) of Sec.  2400.6, OSHRC proposes deleting the 
last sentence which says the following:

    Access to OSHRC records maintained in National Archives and 
Records Service Centers may be obtained in accordance with the 
regulations issued by the General Services Administration.

According to section 107(g)(2), Public Law 98-497 (5 U.S.C. 
552a(l)(1)), the records that OSHRC sends to the Federal processing 
center are still considered to be under OSHRC's control. Thus, 
disclosure of such records must be in accordance with OSHRC's 
regulations. OSHRC also proposes amending the agency's mailing address 
to include the last four digits of the ZIP code and to spell out 
``Ninth Floor.''
    OSHRC proposes deleting the last sentence in paragraph (a)(2) of 
Sec.  2400.6, which reads, ``Upon request, OSHRC also shall disclose to 
the individual an accounting of any disclosures made from the 
individual's records.'' This sentence is redundant because new Sec.  
2400.4(c)(4) (current Sec.  2400.4(d)(3)) already covers an 
individual's request for an accounting.
    In paragraph (a)(3) of Sec.  2400.6, OSHRC proposes revising the 
Privacy Officer's period for response to read ``10 working days'' 
rather than ``10 days,'' because 5 U.S.C. 552a(d)(2)(A) states that 
Saturdays, Sundays, and legal holidays are excluded from the 10-day 
requirement.
    Paragraphs (b)(1) and (b)(2) of Sec.  2400.6 would remain 
unchanged. However, OSHRC proposes amending paragraph (b)(3) of Sec.  
2400.6 to reflect that a declaration made in accordance

[[Page 42789]]

with 28 U.S.C. 1746 may serve as an alternative to a notarized 
statement, in accordance with section 1(a), Public Law 94-550 (28 
U.S.C. 1746) and Summers v. United States Dep't of Justice, 999 F.2d 
570, 573 (D.C. Cir. 1993).
    While paragraph (c) on verification of guardianship remains 
unchanged, OSHRC proposes modifying paragraph (d) of Sec.  2400.6 to 
indicate that the authorization form discussed in that paragraph must 
be provided by OSHRC. Because the form is intended, in part, to protect 
OSHRC from liability that may arise when records are disseminated to a 
third party accompanying the individual whose records are being 
accessed, OSHRC must make certain that the form is legally adequate.
    OSHRC also proposes deleting current paragraph (e) of Sec.  2400.6, 
which sets forth special rules for requesting medical records, and 
adding a new section Sec.  2400.7 that provides a more legally sound 
procedure for requesting such records. OSHRC also proposes re-
designating current paragraph (f) as new paragraph (e).
    OSHRC proposes re-designating paragraph (g) of Sec.  2400.6 as new 
paragraph (f) and amending its language to require that the Privacy 
Officer, upon denying an individual's request for personal records, 
notify the individual of his or her right to an administrative appeal. 
The paragraph presently requires that the requester be advised of his 
right to judicial review in a district court of the United States. 
However, the administrative appeal is an equally important aspect of 
the review process and, therefore, should be included in the Privacy 
Officer's statement. OSHRC also proposes deleting the phrase ``or other 
appropriate official,'' thereby requiring that the Privacy Officer sign 
any reply denying an individual's written request to review a record. 
Placing clear limits on who has authority to deny such a request is 
necessary to maintain the integrity of the administrative appeal 
process.
    As discussed above, OSHRC proposes creating a new Sec.  2400.7 by 
carving out current paragraph (e) of Sec.  2400.6 and revising it to 
comport with new case law regarding special procedures for medical 
records. Under 5 U.S.C. 552a(f)(3), OSHRC must--

    Establish procedures for the disclosure to an individual upon 
his request of his record or information pertaining to him, 
including special procedure, if deemed necessary, for the disclosure 
to an individual of medical records, including psychological 
records, pertaining to him[.]

Current paragraph (e) of Sec.  2400.6 states the following:

    Medical records shall be disclosed to the requester to whom they 
pertain unless the Executive Director, in consultation with a 
medical doctor named by the requesting individual, determines that 
access to such record could have an adverse effect upon such 
individual. In such a case, the Executive Director shall transmit 
such information to the named medical doctor.

However, in light of Benavides v. United States Bureau of Prisons, 995 
F.2d 269 (D.C. Cir. 1993), current paragraph (e) may no longer be 
valid. In Benavides, the United States Court of Appeals for the 
District of Columbia Circuit found that, while an agency is authorized 
to devise a ``special'' methodology for disclosing medical records 
under section 552a(f)(3), the devised methodology must lead to 
disclosure of the medical records to the requesting individual. Id. at 
272. Thus, the court held that a regulation which expressly 
contemplates that the requesting individual may never see certain 
medical records is not a permissible special procedure. Id. The court, 
however, rejected the argument that the Privacy Act requires direct 
disclosure of medical records to the requesting individual. Id. at 273. 
Recognizing the ``potential harm that could result from unfettered 
access to medical and psychological records,'' the court provided that 
an agency should have the freedom to craft special procedures to limit 
such harm, as long as the agency guarantees ``the ultimate disclosure 
of the medical records to the requesting individual.'' Id. Therefore, 
new Sec.  2400.7 would address the concerns expressed in Benavides by 
setting forth a procedure that guarantees ``the ultimate disclosure of 
medical records to the requesting individual,'' but still requires the 
intervention of a physician in order ``to limit the potential harm.'' 
Id. In part, OSHRC's proposed procedures under this section are based 
on the procedures utilized by the Central Intelligence Agency, 32 CFR 
1901.31.
    OSHRC next proposes re-designating current Sec.  2400.7 (Procedures 
for requesting amendment) as new Sec.  2400.8. Throughout new Sec.  
2400.8, OSHRC would replace ``Executive Director'' with ``Privacy 
Officer'' in accordance with the proposed amendments to Sec.  
2400.3(a). OSHRC then proposes revising paragraph (b)(4) to reflect 
that the Privacy Officer will ``[n]otify the requester of a 
determination not to amend the record, of the reasons for the refusal, 
and of the requester's right to appeal in accordance with [new] Sec.  
2400.9.'' Inexplicably, the current version of paragraph (b)(4) does 
not require OSHRC to explain why a person's request for amendment is 
being denied. OSHRC also proposes severing paragraphs (c) and (d) of 
current Sec.  2400.7 and renumbering them to create a new Sec.  2400.9 
pertaining to appeal procedures. Creating new Sec.  2400.9 by 
separating the appeal procedures from current Sec.  2400.7, which 
pertains to ``procedures for requesting amendment,'' is necessary 
because individuals should be permitted to appeal the agency's denial 
of inspection and copy requests, not just the denial of amendment 
requests.
    In new Sec.  2400.9 (current Sec.  2400.7(c) and (d)), OSHRC 
proposes changing ``Executive Director'' to ``Privacy Officer.'' OSHRC 
also proposes the following changes. New paragraphs (a)(1) and (a)(2) 
of proposed Sec.  2400.9 would coincide with current Sec.  2400.7(c)(1) 
and (c)(2), new paragraph (b) would coincide with current Sec.  
2400.7(c)(3), new paragraph (c) would coincide with current Sec.  
2400.7(c)(4), and new paragraph (d) would coincide with current Sec.  
2400.7(d). In new paragraph (a)(1) (current Sec.  2400.7(c)(1)), OSHRC 
proposes amending the last four digits of the ZIP code in its mailing 
address, spelling out ``Ninth Floor,'' and adding ``Attn: Privacy 
Appeal'' as the second line in the address. In new paragraph (b) of 
Sec.  2400.9 (current Sec.  2400.7(c)(3)), OSHRC proposes the 
following: (1) Adding the word ``working'' after the first mention of 
``30'' because 5 U.S.C. 552a(d)(3) states that Saturdays, Sundays, and 
legal holidays are excluded from the 30-day requirement; (2) replacing 
the word ``determination'' with ``decision'' in order to make new 
paragraph (b) consistent with paragraph (c) (current Sec.  
2400.7(c)(4)); and (3) for the sake of readability, modifying ``not 
complete, accurate, relevant, or timely,'' to read ``incomplete, 
inaccurate, irrelevant, or untimely.'' In new paragraph (c) (current 
Sec.  2400.7(c)(4)), OSHRC proposes to title the paragraph as 
``Decision requirements'' and to add the phrase ``of the United 
States'' after ``district court.'' Finally, in new paragraph (d) 
(current Sec.  2400.7(d)), OSHRC proposes adding ``then'' after ``the 
requester,'' and deleting the word ``personal'' because the definition 
of ``record'' in the Privacy Act at 5 U.S.C. 552a(a)(4) already 
reflects that personal identifiable information is at issue.
    OSHRC proposes deleting current Sec.  2400.7(e). This paragraph 
states that the Executive Director ``is available to provide an 
individual with assistance in exercising rights pursuant to this 
part.'' OSHRC believes that this language creates no affirmative duty 
and is therefore unnecessary. Moreover, OSHRC believes that its 
proposed regulations already adequately ensure

[[Page 42790]]

that an individual requesting records or amendment to records would be 
provided with the information necessary to exercise his or her rights.
    OSHRC proposes re-designating current Sec.  2400.8 (Schedule of 
fees) as new Sec.  2400.10. OSHRC would amend the schedule of fees to 
reflect the change in costs since the original promulgation of the 
current regulations in 1979. Rather than specifying a specific copying 
fee, OSHRC would incorporate by reference Appendix A to 29 CFR Part 
2201--Schedule of Fees in the agency's proposed rulemaking implementing 
the FOIA published at 71 FR 41384, July 21, 2006. OSHRC proposes this 
revision for administrative ease and to ensure that the fees charged 
for FOIA and Privacy Act requests are consistent. Lastly, in accordance 
with 5 U.S.C. 552a(f)(5), OSHRC would amend paragraph (c) to reflect 
that no fee would be charged for reviewing records.
    OSHRC proposes deleting current Sec.  2400.9 (Exemptions), which 
states that ``[s]ubsections 552a(j) and (k) of title 5 * * * empower 
the Chairman to exempt systems of records meeting certain criteria from 
various other subsections of section 552a.'' Under 5 U.S.C. 552a(j) and 
(k), the head of an agency may promulgate rules, in some circumstances, 
to exempt various systems of records from certain Privacy Act 
requirements. A system of records cannot be exempted, however, unless a 
specific rule regarding it has been published. If ever there is a 
system of records that the head of the agency wants to exempt, he or 
she can simply publish a regulation at that time to exempt the system. 
Thus, deleting Sec.  2400.9 would not in any way deprive the Chairman 
of this authority.

Executive Order 12866

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the requirements of E.O. 12866.

Paperwork Reduction Act

    The Commission has determined that the Paperwork Reduction Act, 44 
U.S.C. 3501 et seq., does not apply because these rules do not contain 
any information collection requirements that require the approval of 
OMB.

Executive Order 13132

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the requirements of E.O. 13132. However, as 
independent regulatory agencies are encouraged to comply with this 
executive order, OSHRC has examined the proposed regulatory action in 
light of its requirements. This proposed regulatory action does not 
have Federalism implications. Moreover, the action will not have 
substantial direct effects on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government.

Regulatory Flexibility Act

    The Commission has determined under the Regulatory Flexibility Act, 
5 U.S.C. 605(b), that these rules, if adopted, would not have a 
significant economic impact on a substantial number of small entities. 
Therefore, a Regulatory Flexibility Statement and Analysis has not been 
prepared.

Unfunded Mandates Reform Act of 1995

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et 
seq.

Small Business Regulatory Enforcement Fairness Act of 1996

    This proposed rule is not a major rule under the Small Business 
Regulatory Enforcement Fairness Act, 5 U.S.C. 804(2). The proposed rule 
will not result in an annual effect on the economy of more than $100 
million per year; a major increase in costs or prices for consumers, 
individual industries, Federal, State, or local government agencies, or 
geographic regions; or significant adverse effects on competition, 
employment, investment, productivity, innovation, or on the ability of 
United States based enterprises to compete with foreign-based companies 
in domestic and export markets.

List of Subjects in 29 CFR Part 2400

    Administrative practice and procedure, Archives and records, 
Government employees, Privacy.

    Signed at Washington, DC, on July 24, 2006.
W. Scott Railton,
Chairman.

    For the reasons set forth in the preamble, OSHRC proposes that 
Chapter XX, Part 2400 of Title 29, Code of Federal Regulations, be 
revised as follows:

PART 2400--REGULATIONS IMPLEMENTING THE PRIVACY ACT

Sec.
2400.1 Purpose and scope.
2400.2 Description of agency.
2400.3 Delegation of authority.
2400.4 Collection and disclosure of personal information.
2400.5 Notification.
2400.6 Procedures for requesting records.
2400.7 Special procedures for requesting medical records.
2400.8 Procedures for requesting amendment.
2400.9 Procedures for appealing.
2400.10 Schedule of fees.

    Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.


Sec.  2400.1  Purpose and scope.

    The purpose of the provisions of this part is to provide procedures 
to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is 
applicable only to records that are maintained by the Occupational 
Safety and Health Review Commission (OSHRC or the Commission), which 
includes all systems of records operated on behalf of OSHRC, pursuant 
to a contract, to accomplish an agency function, except for records 
that are disclosed to consumer reporting agencies under section 3711(e) 
of title 31, United States Code. This part is not applicable to the 
rights of parties appearing in adversary proceedings before the 
Commission to obtain discovery from an adverse party. Such matters are 
governed by the Commission's Rules of Procedure, which are published at 
29 CFR 2200.1 et seq.


Sec.  2400.2  Description of agency.

    The Commission adjudicates contested enforcement actions under the 
Occupational Safety and Health Act of 1970 (29 U.S.C. 651-677). 
Decisions of the Commission on such actions are issued only after the 
parties to the case are afforded an opportunity for a hearing in 
accordance with section 554 of title 5, United States Code. All such 
hearings are conducted by an OSHRC Administrative Law Judge at a place 
convenient to the parties and are open to the public. Each Commission 
member has the authority to direct that a decision of a Judge be 
reviewed by the full Commission before becoming a final order. The 
President designates one of the Commissioners as Chairman, who is 
responsible on behalf of the Commission for the administrative 
operations of the Commission.


Sec.  2400.3  Delegation of authority.

    (a) The Chairman shall designate an OSHRC employee as the Privacy 
Officer, and shall delegate to the Privacy Officer the authority to 
insure agency-wide compliance with this part.
    (b) Custodians of the systems of records are responsible for the 
following:
    (1) Adhering to this part within their respective units and, in 
particular, collecting, using and disclosing records, and affording 
individuals the right to

[[Page 42791]]

inspect, obtain copies of and correct records concerning them;
    (2) Reporting the existence of systems of records, changes to the 
contents of those systems and changes of routine use to the Privacy 
Officer, and also establishing the relevancy of records within those 
systems; and
    (3) Maintaining an accurate accounting of each disclosure in 
conformance with Sec.  2400.4(c) of this part.


Sec.  2400.4  Collection and disclosure of personal information.

    (a) The following rules govern the collection of personal 
information throughout OSHRC operations:
    (1) OSHRC shall:
    (i) Solicit, collect and maintain in its records only such personal 
information as is relevant and necessary to accomplish a purpose 
required by statute or executive order;
    (ii) Maintain all records which are used by OSHRC in making any 
determination about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to the individual in the determination;
    (iii) Collect information, to the greatest extent practicable, 
directly from the subject individual when such information may result 
in adverse determinations about an individual's rights, benefits or 
privileges under Federal programs; and
    (iv) Inform any individual requested to disclose personal 
information whether that disclosure is mandatory or voluntary, by what 
authority it is solicited, the principal purposes for which it is 
intended to be used, the routine uses which may be made of it, and any 
penalties or consequences known to OSHRC which shall result to the 
individual from such non-disclosure.
    (2) OSHRC shall not discriminate against any individual who fails 
to provide personal information unless that information is required or 
necessary for the conduct of the system or program in which the 
individual desires to participate. See Sec.  2400.4(a)(1)(i).
    (3) No record shall be collected or maintained which describes how 
any individual exercises rights guaranteed by the First Amendment 
unless the Commission specifically determines that such information is 
relevant and necessary to carry out a statutory purpose of OSHRC, and 
the collection or maintenance of the record is expressly authorized by 
statute or by the individual about whom the record is maintained, or 
unless the record is pertinent to and within the scope of an authorized 
law enforcement activity.
    (4) OSHRC shall not require disclosure of any individual's Social 
Security account number or deny a right, privilege or benefit because 
of the individual's refusal to disclose the number unless disclosure is 
required by Federal law.
    (b) Disclosures--(1) Limitations. OSHRC shall not disclose any 
record which is contained in a system of records by any means of 
communication to any person, or to another agency, except pursuant to a 
written request by, or with the prior written consent of, the 
individual to whom the record pertains.
    (2) Exceptions. A record may be disseminated without satisfying the 
requirements of paragraph (b)(1) of this section if disclosure is made:
    (i) To a person pursuant to a requirement of the Freedom of 
Information Act (5 U.S.C. 552);
    (ii) To those officers and employees of OSHRC who have a need for 
the record in the performance of their duties;
    (iii) For a routine use as contained in the system notices 
published in the Federal Register;
    (iv) To a recipient who has provided OSHRC with adequate advance 
written assurance that the record shall be used solely as a statistical 
reporting or research record, and the record is to be transferred in a 
form that is not personally identifiable;
    (v) To the Bureau of the Census for purposes of planning or 
carrying out a census or survey or related activity pursuant to the 
provisions of title 13, United States Code;
    (vi) To the National Archives and Records Administration as a 
record which has sufficient historical or other value to warrant its 
continued preservation by the United States Government, or for 
evaluation by the Archivist of the United States or the designee of the 
Archivist to determine whether the record has such value;
    (vii) To a person pursuant to a showing of compelling circumstances 
affecting the health or safety of an individual, if upon such 
disclosure notification is transmitted to the last known address of 
such individual;
    (viii) To another agency or an instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity, if such activity is 
authorized by law and if the head of the agency or instrumentality has 
made a written request to OSHRC specifying the particular portion of 
the record desired and the law enforcement activity for which the 
record is sought;
    (ix) To either House of Congress, or, to the extent of matter 
within its jurisdiction, any committee or subcommittee thereof, or any 
joint committee of Congress or subcommittee of any such joint 
committee;
    (x) To the Comptroller General or any of his authorized 
representatives in the course of the performance of the duties of the 
Government Accountability Office;
    (xi) Pursuant to the order of a court of competent jurisdiction; or
    (xii) To a consumer reporting agency in accordance with section 
3711(e) of title 31, United States Code.
    (3) Employee credit references. OSHRC's Office of Administration 
shall verify the following information provided by an employee to a 
credit bureau or commercial firm from which an employee is seeking 
credit: Length of service, job title, grade, salary, tenure of 
employment, and Civil Service status.
    (4) Employee job references. Prospective employers of an OSHRC 
employee or a former OSHRC employee may be furnished with the 
information in paragraph (b)(3) of this section in addition to the date 
and reason for separation if applicable, upon the request of the 
employee or former employee.
    (5) Disclosures to third parties. OSHRC shall not disseminate any 
record about an individual to any person other than an agency unless 
the record is disseminated pursuant to paragraph (b)(2)(i) of this 
section, or reasonable efforts have been made to ensure that the record 
is accurate, complete, timely and relevant.
    (6) Anticipated legal action. Nothing in this section shall allow 
an individual access to any information compiled in reasonable 
anticipation of a civil action or proceeding.
    (c) Accounting of disclosures--(1) OSHRC shall maintain an accurate 
accounting of each disclosure, except for any disclosure made pursuant 
to paragraphs (b)(2)(i) and (b)(2)(ii) of this section.
    (2) When an accounting is required under paragraph (c)(1) of this 
section, the following information shall be recorded: The date, nature, 
and purpose of each disclosure of a record to any person or to another 
agency, and the name and address of the person or agency to whom the 
disclosure is made.
    (3) The accounting shall be maintained for at least five (5) years 
after disclosure or for the life of the record, whichever is longer.
    (4) The accounting shall be made available to the individual named 
in the record upon inquiry, except for disclosures made pursuant to 
paragraph

[[Page 42792]]

(b)(2)(viii) of this section relating to law enforcement activities. 
See Sec.  2400.6 for suggested form of request.


Sec.  2400.5  Notification.

    (a) Notification of systems. The following procedures permit 
individuals to determine the types of systems of records maintained by 
OSHRC.
    (1) Upon written request, OSHRC shall notify any individual whether 
a specific system named by him contains a record pertaining to him. See 
Sec.  2400.6 for suggested form of request.
    (2) Upon establishing or revising a system of records, OSHRC shall 
publish in the Federal Register a notice of the existence and character 
of the system of records. This notice shall contain the following 
information:
    (i) System name and location;
    (ii) Security classification;
    (iii) Categories of individuals covered by the system;
    (iv) Categories of records in the system;
    (v) Authority for maintenance of the system;
    (vi) Purpose(s) of the system;
    (vii) Routine uses of records maintained in the system, including 
categories of users and the purpose(s) of such uses;
    (viii) Disclosures to consumer reporting agencies;
    (ix) Policies and practices for storing, retrieving, accessing, 
retaining, and disposing of records in the system;
    (x) System manager(s) and address;
    (xi) Procedures by which an individual can be informed whether a 
system contains a record pertaining to himself, gain access to such 
record, and contest the content, accuracy, completeness, timeliness, 
relevance and necessity for retention of the record;
    (xii) Record source categories; and
    (xiii) Exemptions claimed for the system.
    (3) OSHRC shall submit a report, in accordance with guidelines 
provided by the Office of Management and Budget (OMB), in order to give 
advance notice to the Committee on Government Reform of the House of 
Representatives, the Committee on Homeland Security and Governmental 
Affairs of the Senate, and OMB of any proposal to establish a new 
system of records or to significantly change an existing system of 
records.
    (b) Notification of disclosure. OSHRC shall make reasonable efforts 
to serve notice on an individual before any record pertaining to the 
individual is made available to any person under compulsory legal 
process when such process becomes a matter of public record.
    (c) Notification of amendment--(1) OSHRC shall inform any person or 
other agency about any correction or notation of dispute made by OSHRC 
to any record that has been disclosed to the person or agency, if the 
correction or notation was made pursuant to Sec.  2400.8, and an 
accounting of the disclosure was made pursuant to Sec.  2400.4(c).
    (2) In any disclosure to a person or other agency containing 
information about which the individual has filed a statement of 
disagreement and occurring after the statement was filed, OSHRC shall 
clearly note any portion of the record which is disputed and provide 
copies of the statement and, if OSHRC deems appropriate, copies of a 
concise statement of OSHRC's reasons for not making the requested 
amendments.
    (d) Notification of new routine use. Any new or revised routine use 
of a system of records maintained by OSHRC shall be published in the 
Federal Register thirty (30) days before such use becomes operational. 
Interested persons may then submit written data, views, or arguments to 
OSHRC.
    (e) Notification of exemptions. OSHRC shall publish in the Federal 
Register its intent to exempt any system of records and shall specify 
the nature and purpose of that system.


Sec.  2400.6  Procedures for requesting records.

    The purpose of this section is to provide procedures by which an 
individual may gain access to his records.
    (a) Submission of requests for access--(1) Manner. An individual 
seeking information regarding the contents of records systems or access 
to records about himself in a system of records should present a 
written request to that effect either in person or by mail to the 
Privacy Officer, OSHRC, One Lafayette Centre, 1120-20th Street, NW., 
Ninth Floor, Washington, DC 20036-3457.
    (2) Specification of records sought. Requests for access to records 
shall describe the nature of the record sought, the approximate dates 
covered by the record, and the system in which the record is thought to 
be included as described in the ``Notification'' for that system as 
published in the Federal Register. The requester should also indicate 
whether he wishes to review the record in person or obtain a copy by 
mail. If the information supplied is insufficient to locate or identify 
the record, the requester shall be notified promptly and, if necessary, 
informed of additional information required.
    (3) Period for response. Upon receipt of an inquiry the Privacy 
Officer shall respond promptly to the request and no later than 10 
working days from receipt of such inquiry.
    (b) Verification of identity. The following standards are 
applicable to any individual who requests records concerning himself:
    (1) An individual seeking access to records about himself in person 
may establish his identity by the presentation of a single document 
bearing a photograph (such as a passport, employee identification card, 
or valid driver's license) or by the presentation of two items of 
identification which do not bear a photograph but do bear both a name 
and address (such as a valid driver's license, or credit card).
    (2) An individual seeking access to records about himself by mail 
shall establish his identity by a signature, address, date of birth, 
place of birth, employee identification number, if any, and one other 
identifier such as a photocopy of an identifying document.
    (3) An individual seeking access to records about himself by mail 
or in person who cannot provide the necessary documentation of 
identification may provide a notarized statement, or a declaration in 
accordance with 28 U.S.C. 1746, swearing or affirming to his identity 
and to the fact that he understands the penalties for false statements 
pursuant to 18 U.S.C. 1001. Forms for notarized statements may be 
obtained on request from the Privacy Officer.
    (c) Verification of guardianship. The parent or guardian of a minor 
or a person judicially determined to be incompetent and seeking to act 
on behalf of such minor or incompetent shall, in addition to 
establishing his own identity, establish the identity of the minor or 
other person he represents as required in paragraph (b) of this section 
and establish his own parentage or guardianship of the subject of the 
record by furnishing either a copy of a birth certificate showing 
parentage or a court order establishing the guardianship.
    (d) Accompanying persons. An individual seeking to review records 
about himself may be accompanied by another individual of his own 
choosing. Both the individual seeking access and the individual 
accompanying him shall be required to sign a form provided by OSHRC 
indicating that OSHRC is authorized to discuss the contents of the 
subject record in the presence of both individuals.
    (e) When compliance is possible--(1) The Privacy Officer shall 
inform the requester of the determination to grant the request and 
shall make the record available to the individual in the

[[Page 42793]]

manner requested, that is, either by forwarding a copy of the 
information to him or by making it available for review, unless:
    (i) It is impracticable to provide the requester with a copy of a 
record, in which case the requester shall be so notified, and, in 
addition, be informed of the procedures set forth in paragraph (b)(2) 
of this section, or
    (ii) The Privacy Officer has reason to believe that the cost of a 
copy of a record is considerably more expensive than anticipated by the 
requester, in which case he shall notify the requester of the estimated 
cost, and ascertain whether the requester still wishes to be provided 
with a copy of the information.
    (2) Where a record is to be reviewed by the requester in person, 
the Privacy Officer shall inform the requester in writing of:
    (i) The date on which the record shall become available for review, 
the location at which it may be reviewed, and the hours for inspection;
    (ii) The type of identification that shall be required in order for 
him to review the record;
    (iii) Such person's right to have a person of his own choosing 
accompany him to review the record; and
    (iv) Such person's right to have a person other than himself review 
the record.
    (3) If the requester seeks to inspect the record without receiving 
a copy, he shall not leave OSHRC premises with the record and shall 
sign a statement indicating he has reviewed a specific record or 
category of record.
    (f) Response when compliance is not possible. A reply denying a 
written request to review a record shall be in writing signed by the 
Privacy Officer and shall be made only if such a record does not exist 
or does not contain personal information relating to the requester, or 
is exempt. This reply shall include a statement regarding the 
determining factors of denial, and the requester's rights to 
administrative appeal and thereafter judicial review in a district 
court of the United States.


Sec.  2400.7  Special procedures for requesting medical records.

    (a) Upon an individual's request for access to his medical, 
including psychological records, the Privacy Officer shall make a 
preliminary determination on whether access to such records could have 
an adverse effect upon the requester. If the Privacy Officer determines 
that access could have an adverse effect on the requester, OSHRC shall 
notify the requester in writing and advise that the records at issue 
can be made available only to a physician of the requester's 
designation. Upon receipt of such designation, verification of the 
identity of the physician, and agreement by the physician to review the 
documents with the requesting individual, to explain the meaning of the 
documents, and to offer counseling designed to temper any adverse 
reaction, OSHRC shall forward such records to the designated physician.
    (b) If, within sixty (60) days of OSHRC's written request for a 
designation, the requester has failed to respond or designate a 
physician, or the physician fails to agree to the release conditions, 
then OSHRC shall hold the documents in abeyance and advise the 
requester that this action may be construed as a technical denial. 
OSHRC shall also advise the requester of his rights to administrative 
appeal and thereafter judicial review in a district court of the United 
States.


Sec.  2400.8  Procedures for requesting amendment.

    (a) Submission of requests for amendment. Upon review of an 
individual's personal record, that individual may submit a request to 
amend such record. This request shall be submitted in writing to the 
Privacy Officer and shall include a statement of the amendment 
requested and the reasons for such amendment, e.g., relevance, 
accuracy, timeliness or completeness of the record.
    (b) Action to be taken by the Privacy Officer. Upon receiving an 
amendment request, the Privacy Officer shall promptly:
    (1) Acknowledge in writing within ten (10) working days the receipt 
of the request;
    (2) Make such inquiry as is necessary to determine whether the 
amendment is appropriate; and
    (3) Correct or eliminate any information that is found to be 
incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or 
untimely and notify the requester when this action is complete; or
    (4) Notify the requester of a determination not to amend the 
record, of the reasons for the refusal, and of the requester's right to 
appeal in accordance with Sec.  2400.9.


Sec.  2400.9  Procedures for appealing.

    (a) Submission of appeal--(1) If a request to inspect, copy or 
amend a record is denied, in whole or in part, or if no determination 
is made within the period prescribed by this part, then the requester 
may appeal to the Chairman, Attn: Privacy Appeal, OSHRC, One Lafayette 
Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.
    (2) The requester shall submit his appeal in writing within thirty 
(30) days of the date of denial, or within ninety (90) days of such 
request if the appeal is from a failure of the Privacy Officer to make 
a determination. The letter of appeal should include, as applicable:
    (i) Reasonable identification of the record to which access was 
sought or the amendment of which was requested.
    (ii) A statement of the OSHRC action or failure to act being 
appealed and the relief sought.
    (iii) A copy of the request, the notification of denial and any 
other related correspondence.
    (b) Final decisions. The Chairman shall make his final decision not 
later than thirty (30) working days from the date of the request, 
unless he extends the time for good cause to be shown by him but not to 
exceed ninety (90) days from the date of the request. Any record found 
on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall 
within thirty (30) working days of the date of such findings be 
appropriately amended.
    (c) Decision requirements. The decision of the Chairman constitutes 
the final decision of OSHRC on the right of the requester to inspect, 
copy, change or update a r