Regulations Implementing the Privacy Act of 1974, 57416-57425 [06-8399]

Agencies

• Occupational Safety and Health Review Commission

[Federal Register Volume 71, Number 189 (Friday, September 29, 2006)]
[Rules and Regulations]
[Pages 57416-57425]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-8399]


=======================================================================
-----------------------------------------------------------------------

OCCUPATIONAL SAFETY AND HEALTH REVIEW COMMISSION

29 CFR Part 2400


Regulations Implementing the Privacy Act of 1974

AGENCY: Occupational Safety and Health Review Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Occupational Safety and Health Review Commission (OSHRC) 
is amending its regulations implementing the Privacy Act of 1974, 5 
U.S.C. 552a. The Privacy Act has been amended multiple times since 
OSHRC first promulgated its regulations in 1979. The amendments to 
OSHRC's regulations at 29 CFR Part 2400 will assist the agency in 
complying with the requirements of the Privacy Act.

DATES: Effective September 29, 2006.

FOR FURTHER INFORMATION CONTACT: Ron Bailey, Attorney-Advisor, Office 
of the General Counsel, via telephone at (202) 606-5410, or via e-mail 
at rbailey@oshrc.gov.

SUPPLEMENTARY INFORMATION: OSHRC published a notice of proposed 
rulemaking on July 28, 2006, 71 FR 42785, which would revise 29 CFR 
Part 2400. Interested persons were afforded an opportunity to 
participate in the rulemaking process through submission of written 
comments on the proposed rule. OSHRC received no public comments. We 
have reviewed the proposed rule and now adopt it as the agency's final 
rule.
    OSHRC's regulations at Part 2400 implementing the Privacy Act of 
1974 were first promulgated on January 19, 1979, 44 FR 3968. These 
regulations had not been revised, except for changes made to the office 
address referenced in Sec. Sec.  2400.6 and 2400.7, 58 FR 26065, April 
30, 1993. Since 1979, however, the Privacy Act has been amended on 
numerous occasions. These statutory changes, along with intervening 
case law, compel OSHRC to amend its

[[Page 57417]]

regulations at Part 2400. Because OSHRC is making extensive revisions 
to these regulations, OSHRC has reproduced them in their entirety for 
the convenience of the reader at the end of this document. OSHRC's 
specific amendments to Part 2400 are discussed below in regulatory 
sequence.
    OSHRC is first amending its authority citation to exclude all 
references to popular names and statutes at large. The Office of the 
Federal Register has expressed a preference for citing only to the 
United States Code when referencing a Federal statute.
    In Sec.  2400.1 (Purpose and scope), OSHRC is making several 
changes to clarify what Part 2400 covers. In accordance with the 
amendments to the Privacy Act contained in section 2(b), Pub. L. 97-365 
(5 U.S.C. 552a(m)(2)), OSHRC is amending Sec.  2400.1 to reflect that 
Part 2400 no longer covers systems of records ``that are disclosed to 
consumer reporting agencies under [section] 3711(e) of title 31, United 
States Code.'' Additionally, OSHRC is amending Sec.  2400.1 to reflect 
that Part 2400 applies only to ``records that are maintained by 
[OSHRC].'' The prior version of Sec.  2400.1 states that OSHRC's 
Privacy Act regulations ``are applicable only to such items of 
information as relate to the agency or are within its custody.'' 
However, the term ``record'' is defined in the Privacy Act at 5 U.S.C. 
552a(a)(4) while the term ``items of information'' is not. Therefore, 
amending Sec.  2400.1 to substitute ``record'' for ``items of 
information'' more appropriately limits the purpose and scope of the 
regulations in accordance with the statute. OSHRC is also deleting the 
last sentence of Sec.  2400.1, which states ``[t]his part is intended 
to protect individual privacy, and affects all personal information 
collection and usage activity of the agency,'' because it is overly 
broad. Based on these amendments, revised Sec.  2400.1 reads as 
follows:

The purpose of the provisions of this part is to provide procedures 
to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is 
applicable only to records that are maintained by the Occupational 
Safety and Health Review Commission (OSHRC or the Commission), which 
includes all systems of records operated on behalf of OSHRC, 
pursuant to a contract, to accomplish an agency function, except for 
records that are disclosed to consumer reporting agencies under 
section 3711(e) of title 31, United States Code. This part is not 
applicable to the rights of parties appearing in adversary 
proceedings before the Commission to obtain discovery from an 
adverse party. Such matters are governed by the Commission's Rules 
of Procedure, which are published at 29 CFR 2200.1 et seq.

    Revising Sec.  2400.1 in this manner incorporates a statutory 
change to the Privacy Act, as well as clarifies the proper scope of the 
agency's regulations under Part 2400.
    In Sec.  2400.2 (Description of agency), OSHRC is adding a sentence 
to the end of the section that provides additional details about the 
designation of one of the Commissioners as the Chairman and his 
responsibilities for the administrative operations of the Commission, 
consistent with section 12(e) of the Occupational Safety and Health Act 
of 1970, 29 U.S.C. 661(e). OSHRC is also making a simple change in 
nomenclature by deleting ``Occupational Safety and Health Review 
Commission'' and replacing it with ``The Commission.'' The agency's 
full name is first noted in revised Sec.  2400.1 based on the 
amendments to that section discussed above.
    OSHRC is amending several items in Sec.  2400.3 (Delegation of 
authority). In paragraph (a) of Sec.  2400.3, OSHRC is revising the 
paragraph's language to provide that ``[t]he Chairman shall designate 
an OSHRC employee as the Privacy Officer, and shall delegate to the 
Privacy Officer the authority to ensure agency-wide compliance with 
this part.'' In the prior version of paragraph (a), this authority was 
delegated to the Executive Director. In recent years, the Office of 
Management and Budget (OMB) has issued various guidance memoranda 
regarding the responsibilities of executive departments and agencies on 
privacy matters, including Safeguarding Personally Identifiable 
Information, OMB-06-15 (May 22, 2006); Designation of Senior Agency 
Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005); and OMB 
Guidance for Implementing the Privacy Provision of the E-Government Act 
of 2002, OMB Memorandum M-03-22 (Sept. 30, 2003). By creating the 
position of Privacy Officer and providing this individual with the 
authority to handle Privacy Act matters, OSHRC will be better able to 
respond to future changes in requirements and subsequent guidance in 
the privacy arena.
    In paragraph (b) of Sec.  2400.3, OSHRC is replacing the term 
``[c]ustodians'' with the more specific term ``[c]ustodians of the 
systems of records'' in order to better define those persons covered by 
paragraph (b). In accordance with the amendments to Sec.  2400.3(a), 
OSHRC is also replacing the term ``Executive Director'' with ``Privacy 
Officer.'' Additionally, OSHRC is dividing existing paragraph (b) into 
paragraphs (b)(1) and (b)(2) and adding a new paragraph (b)(3) in order 
to highlight the various duties of the custodians of the systems of 
records. Specifically, OSHRC is reformatting paragraph (b) by turning 
its first and second sentences into new paragraphs (b)(1) and (b)(2), 
respectively. OSHRC is making several grammatical changes in new 
paragraph (b)(1) by transforming the words ``adherence,'' 
``collection,'' ``use,'' and ``disclosure'' into present participles. 
OSHRC is replacing (1) the word ``information'' and the phrase 
``personal information'' with the word ``records,'' and (2) the phrase 
``personal records systems'' with the phrase ``systems of records.'' 
Because the terms ``record'' and ``system of records'' are defined in 
the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), use of these terms 
better delineates the scope of revised paragraph (b). OSHRC is adding a 
new paragraph (b)(3), which makes the custodians of the systems of 
records responsible for maintaining an accurate accounting of each 
disclosure in conformance with old Sec.  2400.4(d) (new Sec.  
2400.4(c)) and its statutory counterpart in the Privacy Act at 5 U.S.C. 
552a(c). Custodians of the systems of records are best suited to 
maintain an accounting of each disclosure because they have the most 
interaction with the systems of records and are usually involved in 
processing the requests for records.
    With regard to Sec.  2400.4 (Collection and disclosure of personal 
information), OSHRC is making several structural and substantive 
changes, as well as some minor changes in wording. In paragraph 
(a)(1)(i) of Sec.  2400.4, OSHRC is adding the phrase ``in its 
records'' after ``[s]olicit, collect and maintain'' to clarify that 
OSHRC's responsibilities under this provision only extend to 
information that is maintained in a record. OSHRC is also adding a new 
paragraph (a)(1)(ii) that lists the responsibilities set forth in 5 
U.S.C. 552a(e)(5), which requires each agency to--

Maintain all records which are used by the agency in making any 
determination about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to assure 
fairness to the individual in the determination.

    With the addition of new paragraph (a)(1)(ii), Sec.  2400.4(a)(1) 
better reflects OSHRC's responsibilities under the Privacy Act. OSHRC 
is renumbering old paragraphs (a)(1)(ii) and (iii) as new paragraphs 
(a)(1)(iii) and (iv). In order to better track the statutory language 
of 5 U.S.C. 552a(e)(2), OSHRC is adding the phrase ``under Federal 
programs'' after ``benefits or privileges'' in the newly renumbered 
paragraph (a)(1)(iii). Finally, OSHRC is making a minor

[[Page 57418]]

change by deleting ``the'' before ``OSHRC'' in new paragraph 
(a)(1)(iv).
    OSHRC is not making any changes to paragraph (a)(2). In paragraph 
(a)(3) of Sec.  2400.4, however, OSHRC is replacing the word 
``information'' with ``record'' because the term ``record'' is defined 
in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term 
``information'' is not, and thus amending paragraph (a)(3) in this 
manner better defines this paragraph's scope. OSHRC is also adding the 
phrase ``or maintenance of the record'' after ``collection'' to clarify 
that all of the requirements and exceptions in the paragraph apply to 
both the collection and maintenance of records. Finally, OSHRC is 
amending paragraph (a)(3) to include language that excludes records 
``pertinent to and within the scope of an authorized law enforcement 
activity,'' in accordance with 5 U.S.C. 552a(e)(7). OSHRC is making no 
changes to Sec.  2400.4(a)(4).
    OSHRC is making structural and substantive changes to paragraphs 
(b)(1) and (b)(2) of Sec.  2400.4. Specifically, OSHRC is amending 
paragraph (b)(1) to incorporate the opening statutory language 
contained in 5 U.S.C. 552a(b). Paragraph (b)(1) now reads:

OSHRC shall not disclose any record which is contained in a system 
of records by any means of communication to any person, or to 
another agency, except pursuant to a written request by, or with the 
prior written consent of, the individual to whom the record 
pertains.

    The prior version of the regulation at Sec.  2400.4(b)(1)--which, 
in part, prevented OSHRC from disseminating records ``unless reasonable 
efforts have been made to assure that the information is accurate, 
complete, timely and relevant''--could have been construed as applying 
to Freedom of Information Act (FOIA) requests. Under 5 U.S.C. 
552a(e)(6), however, agency responses to FOIA requests are specifically 
exempted from the Privacy Act requirement that agencies must make 
reasonable efforts to ensure, when disclosing records about an 
individual to any person, that such records are accurate, complete, 
timely, and relevant. This exemption makes sense because the purpose of 
a FOIA request may be, for example, to gather information that reflects 
an agency's propensity for maintaining inaccurate records. 
Consequently, it is not appropriate to require that such records 
requested under the FOIA be examined in this manner under the Privacy 
Act. Thus, in order to eliminate such an interpretation, OSHRC is 
amending paragraph (b)(1) in the aforementioned manner, amending 
paragraph (b)(2) to list exceptions to revised paragraph (b)(1), and 
adding new paragraph (b)(5) which defines when records should be 
``accurate, complete, timely and relevant.''
    As to paragraph (b)(2) of Sec.  2400.4, OSHRC is making the 
following changes. First, in order to reflect that revised paragraph 
(b)(2) lists exceptions to the rule set forth in revised paragraph 
(b)(1), OSHRC is revising the opening clause to read, ``Exceptions: A 
record may be disseminated without satisfying the requirements of 
paragraph (b)(1) of this section if disclosure is made: * * *.'' 
Second, OSHRC is replacing the word ``information'' with ``record'' in 
paragraphs (b)(2)(ii) and (b)(2)(iv), because the term ``record'' is 
defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term 
``information'' is not. Third, in paragraph (b)(2)(iv), OSHRC is adding 
the words ``OSHRC with'' between ``provided'' and ``adequate advance 
written assurance'' in order to clarify that notice must be provided to 
OSHRC. In that paragraph, OSHRC is also replacing the phrase 
``individually identifiable'' with ``personally identifiable'' because 
this is a term of art used by Privacy Act practitioners. Fourth, OSHRC 
is making a change in nomenclature by spelling out ``United States'' in 
paragraph (b)(2)(v) and deleting ``the'' before ``OSHRC'' in paragraph 
(b)(2)(viii). Fifth, in accordance with the amendments to the Privacy 
Act contained in section 107(g)(1), Pub. L. 98-497 (5 U.S.C. 
552a(b)(6)), OSHRC is modifying, in paragraph (b)(2)(vi), ``National 
Archives of the United States'' to read ``National Archives and Records 
Administration,'' and ``Administrator of General Services'' to read 
``Archivist of the United States or the designee of the Archivist.'' 
Sixth, OSHRC is modifying, in paragraph (b)(2)(viii), ``Federal 
agency'' to read ``another agency.'' This revision better tracks the 
statutory language at 5 U.S.C. 552a(b)(7) and makes clear that the 
records can be disclosed to federal, state, or local agencies. In this 
regard, OMB states in its guidelines, 40 FR 28948, 28955, July 9, 1975, 
that in addition to providing for disclosures to federal law 
enforcement agencies, section 552a(b)(7) allows an agency, ``upon 
receipt of a written request, [to] disclose a record to another agency 
or unit of State or local government for a civil or criminal law 
enforcement activity.'' Seventh, in order to better track the language 
of 5 U.S.C. 552a(b)(9), OSHRC is modifying paragraph (b)(2)(ix) of 
Sec.  2400.4 to read, ``To either House of Congress, or, to the extent 
of matter within its jurisdiction, any committee or subcommittee 
thereof, or any joint committee of Congress or subcommittee of any such 
joint committee.'' Eighth, in accordance with the GAO Human Capital 
Reform Act of 2004, Pub. L. 108-271, 118 Stat. 811, OSHRC is modifying, 
in paragraph (b)(2)(x), ``General Accounting Office'' to read 
``Government Accountability Office.'' Finally, OSHRC is adding a new 
paragraph (b)(2)(xii) which, in accordance with the amendments to the 
Privacy Act contained in section 2(a), Pub. L. 97-365 (5 U.S.C. 
552a(b)(12)), permits disclosure ``[t]o a consumer reporting agency in 
accordance with section 3711(e) of title 31, United States Code.''
    OSHRC is making some minor changes, such as capitalizing 
``Service'' in paragraph (b)(3) and revising ``Sec.  2400.4(b)(3) 
above'' to read ``paragraph (b)(3) of this section'' in paragraph 
(b)(4). In paragraph (b)(3), OSHRC is also changing ``The Personnel 
Office'' to ``OSHRC's Office of Administration'' based on the agency's 
recent reorganization.
    OSHRC is adding new paragraphs (b)(5) and (b)(6) to Sec.  2400.4, 
which essentially incorporate the statutory language of 5 U.S.C. 
552a(e)(6) and (d)(5), respectively. Paragraph (b)(5) is changed 
slightly from that stated in the NPRM, which initially stated: ``OSHRC 
shall not disseminate any record about an individual to any person 
other than an agency unless the record is disseminated pursuant to 
paragraph (b)(2)(i) of this section, or reasonable efforts have been 
made to ensure that the record is accurate, complete, timely and 
relevant.'' Upon further review of 5 U.S.C. 552a(e)(6), OSHRC makes a 
minor edit to paragraph (b)(5) so it more clearly tracks the statute as 
follows:

Disclosures to third parties. Prior to disseminating any record 
about an individual to any person other than an agency, unless the 
record is disseminated pursuant to paragraph (b)(2)(i) of this 
section, OSHRC shall make reasonable efforts to ensure that the 
record is accurate, complete, timely and relevant.

    Paragraph (b)(6) reads:

Anticipated legal action. Nothing in this section shall allow an 
individual access to any information compiled in reasonable 
anticipation of a civil action or proceeding.

    OSHRC is adding these provisions to Sec.  2400.4 in order to track 
the statute and make the regulations comprehensive.
    OSHRC is re-designating old Sec.  2400.4(c) as new Sec.  2400.5(c). 
The old Sec.  2400.4(c), which pertains to notifying certain persons 
and agencies about corrections made to a record, is a better fit for 
new Sec.  2400.5(c), which pertains to ``[n]otification of amendment.''

[[Page 57419]]

Modifications to the language in the re-designated Sec.  2400.5(c) are 
discussed below in that section.
    In response to the change above, OSHRC is re-designating old 
paragraph (d) of Sec.  2400.4, which sets forth the procedures for 
maintaining an accounting of disclosures, as new paragraph (c) of Sec.  
2400.4. OSHRC is streamlining the language of new paragraph (c)(1). 
Rather than spelling out that the accounting requirements do not 
pertain to instances ``in which disclosure is made to OSHRC employees 
in the performance of their duties or is required by the Freedom of 
Information Act (5 U.S.C. 552), in conformance with section 552a(c) of 
the Privacy Act,'' OSHRC is amending the paragraph to read that ``any 
disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this 
section'' is excepted. Also, OSHRC is inserting the phrase ``OSHRC 
shall maintain'' at the beginning of paragraph (c)(1) to emphasize that 
it is, in fact, OSHRC's responsibility to maintain an accurate 
accounting of certain disclosures. OSHRC is adding a new paragraph 
(c)(2) that lists the information required, in accordance with 5 U.S.C. 
552a(c)(1), for a proper accounting of each disclosure. New paragraph 
(c)(2) reads as follows:

When an accounting is required under paragraph (c)(1) of this 
section, the following information shall be recorded: the date, 
nature, and purpose of each disclosure of a record to any person or 
to another agency, and the name and address of the person or agency 
to whom the disclosure is made.

    OSHRC is renumbering old paragraph (d)(2) as new paragraph (c)(3), 
and modifying the language ``for at least five (5) years or the life of 
the record'' to read ``for at least five (5) years after disclosure or 
for the life of the record'' in order to clearly define the length of 
time that an accounting must be maintained. Finally, OSHRC is 
renumbering old paragraph (d)(3) as new paragraph (c)(4), adding a 
cross-reference to ``Sec.  2400.6 for suggested form of request,'' and 
deleting the word ``provision'' because it adds nothing to the 
sentence.
    With regard to Sec.  2400.5 (Notification), OSHRC is making various 
changes in substance and nomenclature. In the opening sentence of 
paragraph (a) of Sec.  2400.5, OSHRC is modifying the phrase ``personal 
records systems'' to read ``systems of records'' because only the 
latter phrase is defined in the Privacy Act at 5 U.S.C. 552a(a)(5).
    In paragraph (a)(2) of Sec.  2400.5, OSHRC is deleting the word 
``personal'' because the definitions of ``record'' and ``system of 
records'' in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), 
respectively, already reflect that personally identifiable information 
is at issue. In accordance with the amendments to the Privacy Act 
contained in section 201(a), Pub. L. 97-375 (5 U.S.C. 552a(e)(4)), 
OSHRC is also deleting the word ``annually'' from paragraph (a)(2) and 
adding the phrase ``[u]pon establishing or revising a system of 
records.'' Additionally, OSHRC is modifying paragraph (a)(2) to reflect 
the data elements for Privacy Act notices that are required by the 
Office of the Federal Register. These fields include: (i) System name 
and location; (ii) security classification; (iii) categories of 
individuals covered by the system; (iv) categories of records in the 
system; (v) authority for maintenance of the system; (vi) purpose(s) of 
the system; (vii) routine uses of records maintained in the system, 
including categories of users and the purpose(s) of such uses; (viii) 
disclosures to consumer reporting agencies; (ix) policies and practices 
for storing, retrieving, accessing, retaining, and disposing of records 
in the system; (x) system manager(s) and address; (xi) procedures by 
which an individual can be informed whether a system contains a record 
pertaining to himself, gain access to such record, and contest the 
content, accuracy, completeness, timeliness, relevance, and necessity 
for retention of the record; (xii) record source categories; and (xiii) 
exemptions claimed for the system. Finally, in the opening sentence of 
paragraph (a)(2) of Sec.  2400.5, OSHRC is making minor grammatical 
changes, such as inserting ``the'' before the words ``existence'' and 
``systems.''
    In accordance with the amendments to the Privacy Act contained in 
section 3(b), Pub. L. 100-503 (5 U.S.C. 552a(r)), OSHRC is adding a new 
paragraph (a)(3) to Sec.  2400.5 that sets forth the reporting 
requirements for system-of-records notices. New paragraph (a)(3) reads 
as follows:

OSHRC shall submit a report, in accordance with guidelines provided 
by the Office of Management and Budget (OMB), in order to give 
advance notice to the Committee on Government Reform of the House of 
Representatives, the Committee on Homeland Security and Governmental 
Affairs of the Senate, and OMB of any proposal to establish a new 
system of records or to significantly change an existing system of 
records.

    It is necessary to add new paragraph (a)(3) to Sec.  2400.5 in 
order to provide a comprehensive explanation of the notification 
requirements.
    In paragraph (b) of Sec.  2400.5, OSHRC is replacing the phrase 
``personal information'' with ``record pertaining to the individual'' 
because the term ``record'' is defined in the Privacy Act at 5 U.S.C. 
552a(a)(4), while the term ``information'' is not.
    OSHRC is also making substantial changes to paragraph (c) of Sec.  
2400.5. The prior version of paragraph (c) stated as follows: 
``Notification of amendment. (See Sec.  2400.7 relating to amendment of 
records upon request.)'' OSHRC is deleting this language, inserting the 
text of old Sec.  2400.4(c) (as discussed earlier), and designating it 
as new paragraph (c)(1) in Sec.  2400.5. OSHRC is modifying the text to 
read as follows:

OSHRC shall inform any person or other agency about any correction 
or notation of dispute made by OSHRC to any record that has been 
disclosed to the person or agency, if the correction or notation was 
made pursuant to Sec.  2400.8, and an accounting of the disclosure 
was made pursuant to Sec.  2400.4(c).

    The prior version of this paragraph states that its requirements 
apply where a ``personal record has been or is to be disclosed.'' 
However, the phrase ``is to be disclosed'' is not included in 5 U.S.C. 
552a(c)(4), the regulation's statutory counterpart. Moreover, from a 
practical standpoint, it would be difficult to notify a person or an 
agency of a correction if the record has not yet been disclosed to that 
person or agency. The remaining changes to new paragraph (c)(1), shown 
above, are based on the statutory text at section 552a(c)(4).
    OSHRC is adding a new paragraph (c)(2) to Sec.  2400.5 setting 
forth the requirements of 5 U.S.C. 552a(d)(4), which explains how 
agencies are to treat disputed portions of the record. New paragraph 
(c)(2) reads as follows:

In any disclosure to a person or other agency containing information 
about which the individual has filed a statement of disagreement and 
occurring after the statement was filed, OSHRC shall clearly note 
any portion of the record which is disputed and provide copies of 
the statement and, if OSHRC deems appropriate, copies of a concise 
statement of OSHRC's reasons for not making the requested 
amendments.

    Adding this statutory requirement to Sec.  2400.5 will help ensure 
that the rights of those covered by the Privacy Act are preserved.
    In accordance with 5 U.S.C. 552a(e)(11), OSHRC is amending 
paragraph (d) of Sec.  2400.5 to allow interested persons to ``submit 
written data, views, or arguments to OSHRC'' after a system-of-records 
notice has been published in the Federal Register. OSHRC is also adding 
the word ``routine'' before ``use,'' and replacing ``personal 
information'' with ``a system of records'' because, under section 
552a(e)(11), notification is required only for new and revised routine 
uses of

[[Page 57420]]

systems of records. OSHRC is making no changes to paragraph (e) of 
Sec.  2400.5.
    With regard to Sec.  2400.6 (Procedures for requesting records), 
OSHRC is making various substantive and structural changes, as well 
some changes in nomenclature. Throughout Sec.  2400.6, OSHRC is 
replacing ``personal information'' with ``record'' because the term 
``record'' is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and the 
term ``information'' is not. OSHRC is also making a change in 
nomenclature by replacing ``Executive Director,'' ``responsible 
official,'' and ``disclosure officer'' with ``Privacy Officer'' in 
accordance with the amendments to Sec.  2400.3(a).
    In the opening sentence of Sec.  2400.6, OSHRC is replacing the 
word ``have'' with ``gain.'' OSHRC is also deleting the phrase ``within 
a comprehensive format'' as unnecessary.
    In paragraph (a)(1) of Sec.  2400.6, OSHRC is deleting the last 
sentence which read as follows:

Access to OSHRC records maintained in National Archives and Records 
Service Centers may be obtained in accordance with the regulations 
issued by the General Services Administration.

    According to section 107(g)(2), Pub. L. 98-497 (5 U.S.C. 
552a(l)(1)), the records that OSHRC sends to the Federal processing 
center are still considered to be under OSHRC's control. Thus, 
disclosure of such records must be in accordance with OSHRC's 
regulations implementing the Privacy Act. OSHRC is also amending the 
agency's mailing address to include the last four digits of the ZIP 
code and to spell out ``Ninth Floor.''
    OSHRC is deleting the last sentence in paragraph (a)(2) of Sec.  
2400.6, which read, ``Upon request, OSHRC also shall disclose to the 
individual an accounting of any disclosures made from the individual's 
records.'' This sentence was redundant because new Sec.  2400.4(c)(4) 
(old Sec.  2400.4(d)(3)) already covers an individual's request for an 
accounting.
    In paragraph (a)(3) of Sec.  2400.6, OSHRC is revising the Privacy 
Officer's period for response to read ``10 working days'' rather than 
``10 days,'' because 5 U.S.C. 552a(d)(2)(A) states that Saturdays, 
Sundays, and legal holidays are excluded from the 10-day requirement.
    Paragraphs (b)(1) and (b)(2) of Sec.  2400.6 remain unchanged. 
However, OSHRC is amending paragraph (b)(3) of Sec.  2400.6 to reflect 
that a declaration made in accordance with 28 U.S.C. 1746 may serve as 
an alternative to a notarized statement, in accordance with section 
1(a), Pub. L. 94-550 (28 U.S.C. 1746), and Summers v. United States 
Dep't of Justice, 999 F.2d 570, 573 (D.C. Cir. 1993).
    While paragraph (c) on verification of guardianship remains 
unchanged, OSHRC is modifying paragraph (d) of Sec.  2400.6 to indicate 
that the authorization form discussed in that paragraph must be 
provided by OSHRC. Because the form is intended, in part, to protect 
OSHRC from liability that may arise when records are disseminated to a 
third party accompanying the individual whose records are being 
accessed, OSHRC must make certain that the form is legally adequate.
    OSHRC is deleting old paragraph (e) of Sec.  2400.6, which sets 
forth special rules for requesting medical records, and adding a new 
Sec.  2400.7 that provides a more legally sound procedure for 
requesting such records. OSHRC is also re-designating old paragraph (f) 
as new paragraph (e).
    OSHRC is re-designating old paragraph (g) of Sec.  2400.6 as new 
paragraph (f) and amending its language to require that the Privacy 
Officer, upon denying an individual's request for personal records, 
notify the individual of his or her right to an administrative appeal. 
The paragraph previously required that the requester be advised only of 
his right to judicial review in a district court of the United States. 
However, the administrative appeal is an equally important aspect of 
the review process and, therefore, is also included in the Privacy 
Officer's statement. OSHRC is deleting the phrase ``or other 
appropriate official,'' thereby requiring that the Privacy Officer sign 
any reply denying an individual's written request to review a record. 
Placing clear limits on who has authority to deny such a request is 
necessary to maintain the integrity of the administrative appeal 
process.
    As discussed above, OSHRC is creating a new Sec.  2400.7 by carving 
out old paragraph (e) of Sec.  2400.6 and revising it to comport with 
new case law regarding special procedures for medical records. Under 5 
U.S.C. 552a(f)(3), OSHRC must--

establish procedures for the disclosure to an individual upon his 
request of his record or information pertaining to him, including 
special procedure, if deemed necessary, for the disclosure to an 
individual of medical records, including psychological records, 
pertaining to him[.]

    The previous version of paragraph (e) of Sec.  2400.6 read as 
follows:

Medical records shall be disclosed to the requester to whom they 
pertain unless the Executive Director, in consultation with a 
medical doctor named by the requesting individual, determines that 
access to such record could have an adverse effect upon such 
individual. In such a case, the Executive Director shall transmit 
such information to the named medical doctor.

    In light of Benavides v. United States Bureau of Prisons, 995 F.2d 
269 (D.C. Cir. 1993), this may not be a valid procedure. In Benavides, 
the United States Court of Appeals for the District of Columbia Circuit 
found that, while an agency is authorized to devise a ``special'' 
methodology for disclosing medical records under section 552a(f)(3), 
the devised methodology must lead to disclosure of the medical records 
to the requesting individual. Id. at 272. Thus, the court held that a 
regulation which expressly contemplates that the requesting individual 
may never see certain medical records is not a permissible special 
procedure. Id. The court, however, rejected the argument that the 
Privacy Act requires direct disclosure of medical records to the 
requesting individual. Id. at 273. Recognizing the ``potential harm 
that could result from unfettered access to medical and psychological 
records,'' the court provided that an agency should have the freedom to 
craft special procedures to limit such harm, as long as the agency 
guarantees ``the ultimate disclosure of the medical records to the 
requesting individual.'' Id. New Sec.  2400.7 addresses the concerns 
expressed in Benavides by setting forth a procedure that guarantees 
``the ultimate disclosure of medical records to the requesting 
individual,'' but still requires the intervention of a physician in 
order ``to limit the potential harm.'' Id.
    OSHRC is re-designating old Sec.  2400.7 (Procedures for requesting 
amendment) as new Sec.  2400.8. Throughout new Sec.  2400.8, OSHRC is 
replacing ``Executive Director'' with ``Privacy Officer'' in accordance 
with the amendments to Sec.  2400.3(a) discussed above. OSHRC is 
revising paragraph (b)(4) to reflect that the Privacy Officer will 
``[n]otify the requester of a determination not to amend the record, of 
the reasons for the refusal, and of the requester's right to appeal in 
accordance with [new] Sec.  2400.9.'' Inexplicably, the prior version 
of paragraph (b)(4) did not require OSHRC to explain its decision to 
deny a person's request for amendment. OSHRC is severing paragraphs (c) 
and (d) of old Sec.  2400.7 and renumbering them to create a new Sec.  
2400.9 pertaining to appeal procedures. Creating new Sec.  2400.9 by 
separating the appeal procedures from old Sec.  2400.7, which pertains 
to ``procedures for requesting amendment,'' is necessary because

[[Page 57421]]

individuals should be permitted to appeal the agency's denial of 
inspection and copy requests, not just the denial of amendment 
requests.
    In new Sec.  2400.9 (old Sec.  2400.7(c) and (d)), OSHRC is 
changing ``Executive Director'' to ``Privacy Officer.'' OSHRC is also 
making the following formatting changes. New paragraphs (a)(1) and 
(a)(2) of Sec.  2400.9 coincide with old Sec.  2400.7(c)(1) and (c)(2), 
new paragraph (b) coincides with old Sec.  2400.7(c)(3), new paragraph 
(c) coincides with old Sec.  2400.7(c)(4), and new paragraph (d) 
coincides with old Sec.  2400.7(d). In new paragraph (a)(1) (old Sec.  
2400.7(c)(1)), OSHRC is amending the last four digits of the ZIP code 
in its mailing address, spelling out ``Ninth Floor,'' and adding 
``Attn: Privacy Appeal'' as the second line in the address. In new 
paragraph (b) of Sec.  2400.9 (old Sec.  2400.7(c)(3)), OSHRC is: (1) 
Adding the word ``working'' after the first mention of ``30'' because 5 
U.S.C. 552a(d)(3) states that Saturdays, Sundays, and legal holidays 
are excluded from the 30-day requirement; (2) replacing the word 
``determination'' with ``decision'' in order to make new paragraph (b) 
consistent with paragraph (c) (old Sec.  2400.7(c)(4)); and (3) for the 
sake of readability, modifying ``not complete, accurate, relevant, or 
timely,'' to read ``incomplete, inaccurate, irrelevant, or untimely.'' 
In new paragraph (c) (old Sec.  2400.7(c)(4)), OSHRC is titling the 
paragraph ``Decision requirements'' and adding the phrase ``of the 
United States'' after ``district court.'' Finally, in new paragraph (d) 
(old Sec.  2400.7(d)), OSHRC is adding ``then'' after ``the 
requester,'' and deleting the word ``personal'' because the definition 
of ``record'' in the Privacy Act at 5 U.S.C. 552a(a)(4) already 
reflects that personally identifiable information is at issue.
    OSHRC is deleting old Sec.  2400.7(e), which states that the 
Executive Director ``is available to provide an individual with 
assistance in exercising rights pursuant to this part.'' This language 
creates no affirmative duty and is therefore unnecessary. Moreover, 
other OSHRC regulations already adequately ensure that an individual 
requesting records or amendment to records will be provided with the 
information necessary to exercise his or her rights.
    OSHRC is re-designating old Sec.  2400.8 (Schedule of fees) as new 
Sec.  2400.10. OSHRC is amending the schedule of fees to reflect the 
change in costs since the original promulgation of the current 
regulations in 1979. Rather than specifying a specific copying fee, 
OSHRC is incorporating by reference Appendix A to 29 CFR Part 2201--
Schedule of Fees in the agency's final FOIA rules at 71 FR 56347, 
September 27, 2006. OSHRC is making this revision for purposes of 
administrative ease and to ensure that the fees charged for FOIA and 
Privacy Act requests are consistent. Lastly, in accordance with 5 
U.S.C. 552a(f)(5), OSHRC is amending paragraph (c) to reflect that no 
fee will be charged for reviewing records.
    OSHRC is deleting old Sec.  2400.9 (Exemptions), which states that 
``[s]ubsections 552a(j) and (k) of title 5 * * * empower the Chairman 
to exempt systems of records meeting certain criteria from various 
other subsections of section 552a.'' Under 5 U.S.C. 552a(j) and (k), 
the head of an agency may promulgate rules, in some circumstances, to 
exempt various systems of records from certain Privacy Act 
requirements. A system of records cannot be exempted, however, unless a 
specific rule regarding it has been published. If ever there is a 
system of records that the head of the agency wants to exempt, he or 
she can simply publish a regulation at that time to exempt the system. 
Thus, deleting Sec.  2400.9 in no way deprives the Chairman of this 
authority.

Executive Order 12866

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the requirements of E.O. 12866.

Paperwork Reduction Act

    The Commission has determined that the Paperwork Reduction Act, 44 
U.S.C. 3501 et seq., does not apply because these rules do not contain 
any information collection requirements that require the approval of 
OMB.

Executive Order 13132

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the requirements of E.O. 13132.

Regulatory Flexibility Act

    The Commission has determined under the Regulatory Flexibility Act, 
5 U.S.C. 605(b), as amended by the Small Business Regulatory 
Enforcement Fairness Act of 1996, 5 U.S.C. 804(2), and has certified to 
the Chief Counsel for Advocacy of the Small Business Administration, 
that these rules will not have a significant economic impact on a 
substantial number of small entities. Therefore, a Regulatory 
Flexibility Statement and Analysis has not been prepared.
    The Commission maintains relatively few systems of records, as 
defined by 5 U.S.C. 552a(a)(5). Moreover, the bulk of the Commission's 
record--i.e., its case files--are already open to public review under 
section 12(g) of the OSH Act, 29 U.S.C. Sec.  661(g). Despite the 
requirements of the Privacy Act, the public may access much of the 
information that the Commission maintains. Finally, the Privacy Act 
permits agencies to charge requesters for duplication costs, but not 
for costs associated with searching for and reviewing requested 
records. The Commission's final rule is fully consistent with these 
requirements.

Unfunded Mandates Reform Act of 1995

    The Commission is an independent regulatory agency, and, as such, 
is not subject to the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et 
seq.

Congressional Review Act

    Consistent with the Congressional Review Act (Section 804 of the 
Small Business Regulatory Enforcement Fairness Act), 5 U.S.C. 804 et 
seq., the Commission will submit to Congress and to the Comptroller 
General of the United States, a report regarding the issues of this 
Final Rule prior to the effective date set forth at the outset of this 
document. This rule is not a major rule under the Congressional Review 
Act. The rule will not result in an annual effect on the economy of 
more than $100 million per year; a major increase in costs or prices 
for consumers, individual industries, Federal, State, or local 
government agencies, or geographic regions; or significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of U.S.-based enterprises to compete with 
foreign-based companies in domestic and export markets.

List of Subjects in 29 CFR Part 2400

    Administrative practice and procedure, Archives and records, 
Government employees, Privacy.

    Signed at Washington, DC, on September 27, 2006.
W. Scott Railton,
Chairman.


0
For the reasons set forth in the preamble, OSHRC amends Chapter XX of 
Title 29, Code of Federal Regulations, by revising part 2400 to read as 
follows:

PART 2400--REGULATIONS IMPLEMENTING THE PRIVACY ACT

Sec.
2400.1 Purpose and scope.
2400.2 Description of agency.
2400.3 Delegation of authority.
2400.4 Collection and disclosure of personal information.

[[Page 57422]]

2400.5 Notification.
2400.6 Procedures for requesting records.
2400.7 Special procedures for requesting medical records.
2400.8 Procedures for requesting amendment.
2400.9 Procedures for appealing.
2400.10 Schedule of fees.

    Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.


Sec.  2400.1  Purpose and scope.

    The purpose of the provisions of this part is to provide procedures 
to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is 
applicable only to records that are maintained by the Occupational 
Safety and Health Review Commission (OSHRC or the Commission), which 
includes all systems of records operated on behalf of OSHRC, pursuant 
to a contract, to accomplish an agency function, except for records 
that are disclosed to consumer reporting agencies under section 3711(e) 
of title 31, United States Code. This part is not applicable to the 
rights of parties appearing in adversary proceedings before the 
Commission to obtain discovery from an adverse party. Such matters are 
governed by the Commission's Rules of Procedure, which are published at 
29 CFR 2200.1 et seq.


Sec.  2400.2  Description of agency.

    The Commission adjudicates contested enforcement actions under the 
Occupational Safety and Health Act of 1970 (29 U.S.C. 651-677). 
Decisions of the Commission on such actions are issued only after the 
parties to the case are afforded an opportunity for a hearing in 
accordance with section 554 of title 5, United States Code. All such 
hearings are conducted by an OSHRC Administrative Law Judge at a place 
convenient to the parties and are open to the public. Each Commission 
member has the authority to direct that a decision of a Judge be 
reviewed by the full Commission before becoming a final order. The 
President designates one of the Commissioners as Chairman, who is 
responsible on behalf of the Commission for the administrative 
operations of the Commission.


Sec.  2400.3  Delegation of authority.

    (a) The Chairman shall designate an OSHRC employee as the Privacy 
Officer, and shall delegate to the Privacy Officer the authority to 
ensure agency-wide compliance with this part.
    (b) Custodians of the systems of records are responsible for the 
following:
    (1) Adhering to this part within their respective units and, in 
particular, collecting, using and disclosing records, and affording 
individuals the right to inspect, obtain copies of and correct records 
concerning them;
    (2) Reporting the existence of systems of records, changes to the 
contents of those systems and changes of routine use to the Privacy 
Officer, and also establishing the relevancy of records within those 
systems; and
    (3) Maintaining an accurate accounting of each disclosure in 
conformance with Sec.  2400.4(c) of this part.


Sec.  2400.4  Collection and disclosure of personal information.

    (a) The following rules govern the collection of personal 
information throughout OSHRC operations:
    (1) OSHRC shall:
    (i) Solicit, collect and maintain in its records only such personal 
information as is relevant and necessary to accomplish a purpose 
required by statute or executive order;
    (ii) Maintain all records which are used by OSHRC in making any 
determination about any individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to the individual in the determination;
    (iii) Collect information, to the greatest extent practicable, 
directly from the subject individual when such information may result 
in adverse determinations about an individual's rights, benefits or 
privileges under Federal programs; and
    (iv) Inform any individual requested to disclose personal 
information whether that disclosure is mandatory or voluntary, by what 
authority it is solicited, the principal purposes for which it is 
intended to be used, the routine uses which may be made of it, and any 
penalties or consequences known to OSHRC which shall result to the 
individual from such non-disclosure.
    (2) OSHRC shall not discriminate against any individual who fails 
to provide personal information unless that information is required or 
necessary for the conduct of the system or program in which the 
individual desires to participate. See Sec.  2400.4(a)(1)(i).
    (3) No record shall be collected or maintained which describes how 
any individual exercises rights guaranteed by the First Amendment 
unless the Commission specifically determines that such information is 
relevant and necessary to carry out a statutory purpose of OSHRC, and 
the collection or maintenance of the record is expressly authorized by 
statute or by the individual about whom the record is maintained, or 
unless the record is pertinent to and within the scope of an authorized 
law enforcement activity.
    (4) OSHRC shall not require disclosure of any individual's Social 
Security account number or deny a right, privilege or benefit because 
of the individual's refusal to disclose the number unless disclosure is 
required by Federal law.
    (b) Disclosures--(1) Limitations. OSHRC shall not disclose any 
record which is contained in a system of records by any means of 
communication to any person, or to another agency, except pursuant to a 
written request by, or with the prior written consent of, the 
individual to whom the record pertains.
    (2) Exceptions. A record may be disseminated without satisfying the 
requirements of paragraph (b)(1) of this section if disclosure is made:
    (i) To a person pursuant to a requirement of the Freedom of 
Information Act (5 U.S.C. 552);
    (ii) To those officers and employees of OSHRC who have a need for 
the record in the performance of their duties;
    (iii) For a routine use as contained in the system notices 
published in the Federal Register;
    (iv) To a recipient who has provided OSHRC with adequate advance 
written assurance that the record shall be used solely as a statistical 
reporting or research record, and the record is to be transferred in a 
form that is not personally identifiable;
    (v) To the Bureau of the Census for purposes of planning or 
carrying out a census or survey or related activity pursuant to the 
provisions of title 13, United States Code;
    (vi) To the National Archives and Records Administration as a 
record which has sufficient historical or other value to warrant its 
continued preservation by the United States Government, or for 
evaluation by the Archivist of the United States or the designee of the 
Archivist to determine whether the record has such value;
    (vii) To a person pursuant to a showing of compelling circumstances 
affecting the health or safety of an individual, if upon such 
disclosure notification is transmitted to the last known address of 
such individual;
    (viii) To another agency or an instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity, if such activity is 
authorized by law and if the head of the agency or instrumentality has 
made a written request to OSHRC specifying the particular portion of 
the record desired and the law enforcement activity for which the 
record is sought;

[[Page 57423]]

    (ix) To either House of Congress, or, to the extent of matter 
within its jurisdiction, any committee or subcommittee thereof, or any 
joint committee of Congress or subcommittee of any such joint 
committee;
    (x) To the Comptroller General or any of his authorized 
representatives in the course of the performance of the duties of the 
Government Accountability Office;
    (xi) Pursuant to the order of a court of competent jurisdiction; or
    (xii) To a consumer reporting agency in accordance with section 
3711(e) of title 31, United States Code.
    (3) Employee credit references. OSHRC's Office of Administration 
shall verify the following information provided by an employee to a 
credit bureau or commercial firm from which an employee is seeking 
credit: Length of service, job title, grade, salary, tenure of 
employment, and Civil Service status.
    (4) Employee job references. Prospective employers of an OSHRC 
employee or a former OSHRC employee may be furnished with the 
information in paragraph (b)(3) of this section in addition to the date 
and reason for separation, if applicable, upon the request of the 
employee or former employee.
    (5) Disclosures to third parties. Prior to disseminating any record 
about an individual to any person other than an agency, unless the 
record is disseminated pursuant to paragraph (b)(2)(i) of this section, 
OSHRC shall make reasonable efforts to ensure that the record is 
accurate, complete, timely and relevant.
    (6) Anticipated legal action. Nothing in this section shall allow 
an individual access to any information compiled in reasonable 
anticipation of a civil action or proceeding.
    (c) Accounting of disclosures--(1) OSHRC shall maintain an accurate 
accounting of each disclosure, except for any disclosure made pursuant 
to paragraphs (b)(2)(i) and (b)(2)(ii) of this section.
    (2) When an accounting is required under paragraph (c)(1) of this 
section, the following information shall be recorded: The date, nature, 
and purpose of each disclosure of a record to any person or to another 
agency, and the name and address of the person or agency to whom the 
disclosure is made.
    (3) The accounting shall be maintained for at least five (5) years 
after disclosure or for the life of the record, whichever is longer.
    (4) The accounting shall be made available to the individual named 
in the record upon inquiry, except for disclosures made pursuant to 
paragraph (b)(2)(viii) of this section relating to law enforcement 
activities. See Sec.  2400.6 for suggested form of request.


Sec.  2400.5  Notification.

    (a) Notification of systems. The following procedures permit 
individuals to determine the types of systems of records maintained by 
OSHRC.
    (1) Upon written request, OSHRC shall notify any individual whether 
a specific system named by him contains a record pertaining to him. See 
Sec.  2400.6 for suggested form of request.
    (2) Upon establishing or revising a system of records, OSHRC shall 
publish in the Federal Register a notice of the existence and character 
of the system of records. This notice shall contain the following 
information:
    (i) System name and location;
    (ii) Security classification;
    (iii) Categories of individuals covered by the system;
    (iv) Categories of records in the system;
    (v) Authority for maintenance of the system;
    (vi) Purpose(s) of the system;
    (vii) Routine uses of records maintained in the system, including 
categories of users and the purpose(s) of such uses;
    (viii) Disclosures to consumer reporting agencies;
    (ix) Policies and practices for storing, retrieving, accessing, 
retaining, and disposing of records in the system;
    (x) System manager(s) and address;
    (xi) Procedures by which an individual can be informed whether a 
system contains a record pertaining to himself, gain access to such 
record, and contest the content, accuracy, completeness, timeliness, 
relevance and necessity for retention of the record;
    (xii) Record source categories; and
    (xiii) Exemptions claimed for the system.
    (3) OSHRC shall submit a report, in accordance with guidelines 
provided by the Office of Management and Budget (OMB), in order to give 
advance notice to the Committee on Government Reform of the House of 
Representatives, the Committee on Homeland Security and Governmental 
Affairs of the Senate, and OMB of any proposal to establish a new 
system of records or to significantly change an existing system of 
records.
    (b) Notification of disclosure. OSHRC shall make reasonable efforts 
to serve notice on an individual before any record pertaining to the 
individual is made available to any person under compulsory legal 
process when such process becomes a matter of public record.
    (c) Notification of amendment--(1) OSHRC shall inform any person or 
other agency about any correction or notation of dispute made by OSHRC 
to any record that has been disclosed to the person or agency, if the 
correction or notation was made pursuant to Sec.  2400.8, and an 
accounting of the disclosure was made pursuant to Sec.  2400.4(c).
    (2) In any disclosure to a person or other agency containing 
information about which the individual has filed a statement of 
disagreement and occurring after the statement was filed, OSHRC shall 
clearly note any portion of the record which is disputed and provide 
copies of the statement and, if OSHRC deems appropriate, copies of a 
concise statement of OSHRC's reasons for not making the requested 
amendments.
    (d) Notification of new routine use. Any new or revised routine use 
of a system of records maintained by OSHRC shall be published in the 
Federal Register thirty (30) days before such use becomes operational. 
Interested persons may then submit written data, views, or arguments to 
OSHRC.
    (e) Notification of exemptions. OSHRC shall publish in the Federal 
Register its intent to exempt any system of records and shall specify 
the nature and purpose of that system.


Sec.  2400.6  Procedures for requesting records.

    The purpose of this section is to provide procedures by which an 
individual may gain access to his records.
    (a) Submission of requests for access--(1) Manner. An individual 
seeking information regarding the contents of records systems or access 
to records about himself in a system of records should present a 
written request to that effect either in person or by mail to the 
Privacy Officer, OSHRC, One Lafayette Centre, 1120-20th Street, NW., 
Ninth Floor, Washington, DC 20036-3457.
    (2) Specification of records sought. Requests for access to records 
shall describe the nature of the record sought, the approximate dates 
covered by the record, and the system in which the record is thought to 
be included as described in the ``Notification'' for that system as 
published in the Federal Register. The requester should also indicate 
whether he wishes to review the record in person or obtain a copy by 
mail. If the information supplied is insufficient to locate or identify 
the record, the requester shall be notified promptly and, if necessary, 
informed of additional information required.
    (3) Period for response. Upon receipt of an inquiry the Privacy 
Officer shall respond promptly to the request and no

[[Page 57424]]

later than 10 working days from receipt of such inquiry.
    (b) Verification of identity. The following standards are 
applicable to any individual who requests records concerning himself:
    (1) An individual seeking access to records about himself in person 
may establish his identity by the presentation of a single document 
bearing a photograph (such as a passport, employee identification card, 
or valid driver's license) or by the presentation of two items of 
identification which do not bear a photograph but do bear both a name 
and address (such as a valid driver's license, or credit card).
    (2) An individual seeking access to records about himself by mail 
shall establish his identity by a signature, address, date of birth, 
place of birth, employee identification number, if any, and one other 
identifier such as a photocopy of an identifying document.
    (3) An individual seeking access to records about himself by mail 
or in person who cannot provide the necessary documentation of 
identification may provide a notarized statement, or a declaration in 
accordance with 28 U.S.C. 1746, swearing or affirming to his identity 
and to the fact that he understands the penalties for false statements 
pursuant to 18 U.S.C. 1001. Forms for notarized statements may be 
obtained on request from the Privacy Officer.
    (c) Verification of guardianship. The parent or guardian of a minor 
or a person judicially determined to be incompetent and seeking to act 
on behalf of such minor or incompetent shall, in addition to 
establishing his own identity, establish the identity of the minor or 
other person he represents as required in paragraph (b) of this section 
and establish his own parentage or guardianship of the subject of the 
record by furnishing either a copy of a birth certificate showing 
parentage or a court order establishing the guardianship.
    (d) Accompanying persons. An individual seeking to review records 
about himself may be accompanied by another individual of his own 
choosing. Both the individual seeking access and the individual 
accompanying him shall be required to sign a form provided by OSHRC 
indicating that OSHRC is authorized to discuss the contents of the 
subject record in the presence of both individuals.
    (e) When compliance is possible--(1) The Privacy Officer shall 
inform the requester of the determination to grant the request and 
shall make the record available to the individual in the manner 
requested, that is, either by forwarding a copy of the information to 
him or by making it available for review, unless:
    (i) It is impracticable to provide the requester with a copy of a 
record, in which case the requester shall be so notified, and, in 
addition, be informed of the procedures set forth in paragraph (b) of 
this section, or
    (ii) The Privacy Officer has reason to believe that the cost of a 
copy of a record is considerably more expensive than anticipated by the 
requester, in which case he shall notify the requester of the estimated 
cost, and ascertain whether the requester still wishes to be provided 
with a copy of the information.
    (2) Where a record is to be reviewed by the requester in person, 
the Privacy Officer shall inform the requester in writing of:
    (i) The date on which the record shall become available for review, 
the location at which it may be reviewed, and the hours for inspection;
    (ii) The type of identification that shall be required in order for 
him to review the record;
    (iii) Such person's right to have a person of his own choosing 
accompany him to review the record; and
    (iv) Such person's right to have a person other than himself review 
the record.
    (3) If the requester seeks to inspect the record without receiving 
a copy, he shall not leave OSHRC premises with the record and shall 
sign a statement indicating he has reviewed a specific record or 
category of record.
    (f) Response when compliance is not possible. A reply denying a 
written request to review a record shall be in writing signed by the 
Privacy Officer and shall be made only if such a record does not exist 
or does not contain personal information relating to the requester, or 
is exempt. This reply shall include a statement regarding the 
determining factors of denial, and the requester's rights to 
administrative appeal and thereafter judicial review in a district 
court of the United States.


Sec.  2400.7  Special procedures for requesting medical records.

    (a) Upon an individual's request for access to his medical records, 
including psychological records, the Privacy Officer shall make a 
preliminary determination on whether access to such records could have 
an adverse effect upon the requester. If the Privacy Officer determines 
that access could have an adverse effect on the requester, OSHRC shall 
notify the requester in writing and advise that the records at issue 
can be made available only to a physician of the requester's 
designation. Upon receipt of such designation, verification of the 
identity of the physician, and agreement by the physician to review the 
documents with the requesting individual, to explain the meaning of the 
documents, and to offer counseling designed to temper any adverse 
reaction, OSHRC shall forward such records to the designated physician.
    (b) If, within sixty (60) days of OSHRC's written request for a 
designation, the requester has failed to respond or designate a 
physician, or the physician fails to agree to the release conditions, 
then OSHRC shall hold the documents in abeyance and advise the 
requester that this action may be construed as a technical denial. 
OSHRC shall also advise the requester of his rights to administrative 
appeal and thereafter judicial review in a district court of the United 
States.


Sec.  2400.8  Procedures for requesting amendment.

    (a) Submission of requests for amendment. Upon review of an 
individual's personal record, that individual may submit a request to 
amend such record. This request shall be submitted in writing to the 
Privacy Officer and shall include a statement of the amendment 
requested and the reasons for such amendment, e.g., relevance, 
accuracy, timeliness or completeness of the record.
    (b) Action to be taken by the Privacy Officer. Upon receiving an 
amendment request, the Privacy Officer shall promptly:
    (1) Acknowledge in writing within ten (10) working days the receipt 
of the request;
    (2) Make such inquiry as is necessary to determine whether the 
amendment is appropriate; and
    (3) Correct or eliminate any information that is found to be 
incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or 
untimely and notify the requester when this action is complete; or
    (4) Notify the requester of a determination not to amend the 
record, of the reasons for the refusal, and of the requester's right to 
appeal in accordance with Sec.  2400.9.


Sec.  2400.9  Procedures for appealing.

    (a) Submission of appeal--(1) If a request to inspect, copy or 
amend a record is denied, in whole or in part, or if no determination 
is made within the period prescribed by this part, then the requester 
may appeal to the Chairman, Attn: Privacy Appeal, OSHRC, One

[[Page 57425]]

Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 
20036-3457.
    (2) The requester shall submit his appeal in writing within thirty 
(30) days of the date of denial, or within ninety (90) days of such 
request if the appeal is from a failure of the Privacy Officer to make 
a determination. The letter of appeal should include, as applicable:
    (i) Reasonable identification of the record to which access was 
sought or the amendment of which was requested.
    (ii) A statement of the OSHRC action or failure to act being 
appealed and the relief sought.
    (iii) A copy of the request, the notification of denial and any 
other related correspondence.
    (b) Final decisions. The Chairman shall make his final decision not 
later than thirty (30) working days from the date of the request, 
unless he extends the time for good cause to be shown by him but not to 
exceed ninety (90) days from the date of the request. Any record found 
on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall 
within thirty (30) working days of the date of such findings be 
appropriately amended.
    (c) Decision requirements. The decision of the Chairman constitutes 
the final decision of OSHRC on the right of the requester to inspect, 
copy, change or update a record. The decision on the appeal shall be in 
writing and, in the event of a denial, shall set forth the reasons for 
such denial and state the individual's right to obtain judicial review 
in a district court of the United States. An indexed file of the 
agency's decisions on appeal shall be maintained by the Privacy 
Officer.
    (d) Submission of statement of disagreement. If the final decision 
does not satisfy the requester, then any statement of reasonable 
length, provided by that individual, setting forth a position regarding 
the disputed information, shall be accepted and included in the 
relevant record.


Sec.  2400.10  Schedule of fees.

    (a) Policy. The purpose of this section is to establish fair and 
equitable fees to permit reproduction of records for concerned 
individuals.
    (b) Reproduction--(1) For the fees associated with reproduction of 
records, refer to Appendix A to part 2201, Schedule of Fees.
    (2) OSHRC shall not normally furnish more than one copy of any 
record.
    (c) Limitations. No fee shall be charged to any individual for the 
process of retrieving, reviewing, or amending records.

[FR Doc. 06-8399 Filed 9-27-06; 1:19 pm]
BILLING CODE 7600-01-P