Privacy Act of 1974; Privacy Act Regulation, 25594-25597 [E8-9927]

Agencies

• FEDERAL RESERVE SYSTEM

[Federal Register Volume 73, Number 89 (Wednesday, May 7, 2008)]
[Proposed Rules]
[Pages 25594-25597]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-9927]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 73, No. 89 / Wednesday, May 7, 2008 / 
Proposed Rules

[[Page 25594]]



FEDERAL RESERVE SYSTEM

12 CFR Part 261a

[Docket No. R-1313]


Privacy Act of 1974; Privacy Act Regulation

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Board of Governors of the Federal Reserve System (Board) 
proposes to amend its regulation implementing the Privacy Act of 1974 
(Privacy Act). The primary changes concern: the waiver of copying fees 
charged to current and former Board employees, and applicants for Board 
employment, for access to their records under the Privacy Act; amending 
special procedures for the release of medical records to permit the 
Board's Chief Privacy Officer to also consult with the Board's Employee 
Assistance Program counselor to determine whether the disclosure of 
medical records directly to the requester could have an adverse effect 
on the requester; changes to procedures for requests by current Board 
employees for access to their personnel records; changes to the time 
limits for responding to requests for access to information and 
amendment of records; and updates to the exemptions claimed for certain 
systems of records. In addition, the Board is proposing to make minor 
editorial and technical changes to ensure that the Board's regulation 
is consistent with the Board's published systems of records and is 
clearer.

DATES: Comment must be received on or before June 6, 2008.

ADDRESSES: You may submit comments, identified by Docket No. R-1313, by 
any of the following methods:
     Agency Web site: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/
generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@federalreserve.gov. Include docket 
number in the subject line of the message.
     FAX: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, unless modified for technical reasons. Accordingly, your 
comments will not be edited to remove any identifying or contact 
information. Public comments may also be viewed electronically or in 
paper in Room MP-500 of the Board's Martin Building (20th and C 
Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

FOR FURTHER INFORMATION CONTACT: Brad Fleetwood, Senior Counsel, (202) 
452-3721, Legal Division. For user of Telecommunications Device for the 
Deaf (TDD) only, contact (202) 263-4869.

SUPPLEMENTARY INFORMATION: The Board's Privacy Act Regulation was last 
revised in 2002 (67 FR 44526, July 3, 2002). Since that time, in its 
ongoing review of this regulation and the Board's Privacy Act systems 
of records, the Board has determined that certain additional changes 
should be made to the regulation to improve procedures and to make the 
regulation clearer and more understandable. Below is an explanation of 
the proposed substantive changes.
    The Privacy Act (5 U.S.C. 552a(f)(5)) permits agencies to assess 
fees for copying requested records. Section 261a.4(a) of the Board's 
current regulation states that the duplication fee for Privacy Act 
requests will be the same as that charged for duplication of records in 
response to a Freedom of Information Act request (currently $.10/page). 
Section 261a.4(c) states that duplication fees totaling $50 or less 
will be waived in the connection with a request by an employee, former 
employee, or applicant for employment for records for use in 
prosecuting a grievance or complaint of discrimination against the 
Board; but the Secretary of the Board also may waive fees exceeding 
that amount. A review of current Board practice revealed that all 
copying fees are waived in connection with any request by current or 
former Board employees, and applicants for Board employment. 
Accordingly, the Board proposes to amend the regulation to conform to 
this practice.
    Currently, section 261a.7 of the Board's Regulation permits the 
Chief Privacy Officer, in consultation with the Board's physician, to 
determine that disclosure of medical records directly to the requester 
could have an adverse effect on the requester. In that situation, the 
Board would transmit the records to a licensed physician named by the 
requester, and the physician would disclose the records to the 
requester in a manner deemed appropriate by the physician. The Board 
proposes to amend the regulation to permit the Chief Privacy Officer to 
also consult with the Board's Employee Assistance Program (EAP) 
counselor to determine whether the disclosure of medical records 
directly to the requester could have an adverse effect on the 
requester.
    Currently, section 261a.5 provides that any person seeking to learn 
of the existence of, or to gain access to, an individual's record in a 
system of records shall submit a request in writing to the Secretary of 
the Board, except that a request by a current Board employee for that 
employee's personnel records may be made in person during regular 
business hours at the Human Resources Function of the Board's 
Management Division. The Board proposes to modify this provision and 
require all requests for access, including those made by current Board 
employees for access to their personnel records, to be submitted in 
writing to the Secretary of the Board. The proposed change will 
facilitate appropriate tracking and processing of all Privacy Act 
requests.
    Currently, Sec.  261.a(6)(b) states that individuals' requests for 
access to information shall be acknowledged, or where practicable, 
substantially responded to within 10 business days from receipt of the 
request. After a review of the Board's actual practice, the Board 
proposes to modify this time limit to provide the Board 20 business 
days to respond, where practicable.
    Currently, Sec.  261.a(9)(a) states that to the extent possible, a 
determination

[[Page 25595]]

upon a request to amend a record shall be made within 10 business days 
after receipt of the request. The Privacy Act requires agencies to 
respond to requests to amend records promptly. Thus, the Board proposes 
to change its regulation to require the Board to respond promptly to 
such requests.
    The current regulation sets out, in Sec.  261.12, the statutory 
exceptions to restrictions on disclosure. Because this provision adds 
no substantive or interpretative matter to the statutory provision, the 
proposal simply references the statutory exception provision in the 
text of proposed Sec.  261a.11 relating to restrictions on disclosure.
    The Board recently updated its Privacy Act systems of records, and 
the Board is now updating the exemptions listed under Sec.  261a.13 (to 
be renumbered Sec.  261a.12) to conform to the exemptions approved for 
each of the Board's Privacy Act systems of records. In addition, under 
Sec.  261a.12(d), the Board has clarified that all Office of Inspector 
the General Investigatory Records held in system BGFRS/OIG-1 are exempt 
from parts of the Privacy Act under 5 U.S.C. 552a(j)(2).
    The remaining proposed changes are technical or editorial in nature 
and should not have a substantive effect on any persons.

INITIAL REGULATORY FLEXIBILITY ANALYSIS

    The Privacy Act Regulation sets forth the procedures by which 
individuals may request access and amendment to records maintained in 
systems of records at the Board. The Board certifies that this rule 
will not have a significant economic impact on a substantial number of 
small entities, because it does not apply to business entities.

List of Subjects in 12 CFR Part 261a

    Privacy.

    For the reasons set forth in the preamble, the Board proposes to 
revise 12 CFR part 261a to read as follows:

PART 261a--RULES REGARDING ACCESS TO PERSONAL INFORMATION UNDER THE 
PRIVACY ACT 1974

Subpart A--General Provisions
Sec.
261a.1 Authority, purpose and scope.
261a.2 Definitions.
261a.3 Custodian of records; delegations of authority.
261a.4 Fees.
Subpart B--Procedures for Requests by Individual to Whom Record 
Pertains
261a.5 Request for access to record.
261a.6 Board procedures for responding to request for access.
261a.7 Special procedures for medical records.
261a.8 Request for amendment of record.
261a.9 Board review of request for amendment of record.
261a.10 Appeal of adverse determination of request for access or 
amendment.
Subpart C--Disclosure of Records
261a.11 Restrictions on disclosure.
261a.12 Exempt Records.

    Authority: 5 U.S.C. 552a.

Subpart A--General Provisions


Sec.  261a.1  Authority, purpose and scope.

    (a) Authority. This part is issued by the Board of Governors of the 
Federal Reserve System (the Board) pursuant to the Privacy Act of 1974 
(5 U.S.C. 552a).
    (b) Purpose and scope. This part implements the provisions of the 
Privacy Act of 1974 with regard to the maintenance, protection, 
disclosure, and amendment of records contained within systems of 
records maintained by the Board. It sets forth the procedures for 
requests for access to, or amendment of, records concerning individuals 
that are contained in systems of records maintained by the Board.


Sec.  261a.2  Definitions.

    For the purposes of this part, the following definitions apply:
    (a) Business day means any day except Saturday, Sunday, or a legal 
Federal holiday.
    (b) Guardian means the parent of a minor, or the legal guardian of 
any individual who has been declared to be incompetent due to physical 
or mental incapacity or age by a court of competent jurisdiction.
    (c) Individual means a natural person who is either a citizen of 
the United States or an alien lawfully admitted for permanent 
residence.
    (d) Maintain includes maintain, collect, use, or disseminate.
    (e) Record means any item, collection, or grouping of information 
about an individual maintained by the Board that contains the 
individual's name, or the identifying number, symbol, or other 
identifying particular assigned to the individual, such as a 
fingerprint, voice print, or photograph.
    (f) Routine use means, with respect to disclosure of a record, the 
use of such record for a purpose that is compatible with the purpose 
for which it was collected or created.
    (g) System of records means a group of any records under the 
control of the Board from which information is retrieved by the name of 
the individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual.
    (h) You means an individual making a request under the Privacy Act.
    (i) We means the Board.


Sec.  261a.3  Custodian of records; delegations of authority.

    (a) Custodian of records. The Secretary of the Board is the 
official custodian of all Board records.
    (b) Delegated authority of Secretary. The Secretary of the Board is 
authorized to--
    (1) Respond to requests for access to, accounting of, or amendment 
of records contained in a system of records, except for such requests 
regarding systems of records maintained by the Board's Office of the 
Inspector General (OIG);
    (2) Approve the publication of new systems of records and amend 
existing systems of records, except systems of records exempted 
pursuant to Sec.  261a.13(b), (c) and (d); and
    (3) File any necessary reports related to the Privacy Act.
    (c) Delegated authority of designee. Any action or determination 
required or permitted by this part to be done by the Secretary of the 
Board may be done by a Deputy or Associate Secretary or other 
responsible employee of the Board who has been duly designated for this 
purpose by the Secretary.
    (d) Delegated authority of Inspector General. The Inspector General 
is authorized to respond to requests for access or amendment for 
systems of records maintained by the OIG.


Sec.  261a.4  Fees.

    (a) Copies of records. We will provide you with copies of records 
you request under Sec.  261a.5 of this part at the same cost we charge 
for duplication of records and/or production of computer output under 
the Board's Rules Regarding Availability of Information, 12 CFR part 
261.
    (b) No fee. We will not charge you a fee if--
    (1) Your total charges are less than $5, or
    (2) You are a Board employee or former employee, or an applicant 
for employment with the Board, and you request records pertaining to 
you.

Subpart B--Procedures for Requests by Individuals to Whom Record 
Pertains


Sec.  261a.5  Request for access to record.

    (a) Procedures for making request. (1) Except as provided in 
paragraph (a)(2) of this section, if you (or your guardian) want to 
learn of the existence of, or to gain access to, your record in a 
system of records, you may submit a request in

[[Page 25596]]

writing to the Secretary of the Board, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue, NW., 
Washington, DC 20551.
    (2) If you want to request information contained in a system of 
records maintained by the Board's OIG, you may submit the request in 
writing to the Inspector General, Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue, NW., Washington, 
DC 20551.
    (b) Contents of request. Your request must include--
    (1) A statement that the request is made pursuant to the Privacy 
Act of 1974;
    (2) The name of the system of records you believe contains the 
record you request, or a concise description of that system of records;
    (3) Information necessary to verify your identity pursuant to 
paragraph (c) of this section; and
    (4) Any other information that may assist us in identifying the 
record you seek (e.g., maiden name, dates of employment, etc.).
    (c) Verification of identity. We will require proof of your 
identity, and we reserve the right to determine whether the proof you 
submit is adequate. In general, we will consider the following to be 
adequate proof of identity:
    (1) If you are a current Board employee, your Board identification 
card; or
    (2) If you are not a current Board employee, either--
    (i) Two forms of identification, including one photo 
identification, or
    (ii) A notarized statement attesting to your identity.
    (d) Verification of identity not required. We will not require 
verification of identity when the records you seek are available to any 
person under the Freedom of Information Act (5 U.S.C. 552).
    (e) Request for accounting of previous disclosures. You may request 
an accounting of previous disclosures of records pertaining to you in a 
system of records as provided in 5 U.S.C. 552a(c).


Sec.  261a.6  Board procedures for responding to request for access.

    (a) Compliance with Freedom of Information Act. We will handle 
every request made pursuant to Sec.  261a.5 of this part as a request 
for information pursuant to the Freedom of Information Act, except that 
the time limits set forth in paragraph (b) of this section and the fees 
specified in Sec.  261a.4 of this part will apply to such requests.
    (b) Time for response. We will acknowledge every request made 
pursuant to Sec.  261a.5 of this part within 20 business days from 
receipt of the request and will, where practicable, respond to each 
request within that 20-day period. When a full response is not 
practicable within the 20-day period, we will respond as promptly as 
possible.
    (c) Disclosure. (1) When we disclose information in response to 
your request, except for information maintained by the Board's OIG, you 
may inspect or copy it during regular business hours at the Board's 
Freedom of Information Office, or you may request that we mail it to 
you.
    (2) When the information to be disclosed is maintained by the 
Board's OIG, the OIG will make the information available for inspection 
and copying or will mail it to you on request.
    (3) You may bring with you anyone you choose to see the requested 
material.
    (d) Denial of request. If we deny a request made pursuant to Sec.  
261a.5 of this part, we will tell you the reason(s) for denial and the 
procedures for appealing the denial.


Sec.  261a.7  Special procedures for medical records.

    If you request medical or psychological records pursuant to Sec.  
261a.5, we will disclose them directly to you unless the Chief Privacy 
Officer, in consultation with the Board's physician or Employee 
Assistance Program counselor, determines that such disclosure could 
have an adverse effect on you. If the Chief Privacy Officer makes that 
determination, we will provide the information to a licensed physician 
or other appropriate representative you name, who may disclose those 
records to you in a manner he or she deems appropriate.


Sec.  261a.8  Request for amendment of record.

    (a) Procedures for making request.
    (1) If you wish to amend a record that pertains to you in a system 
of records, you may submit a request in writing to the Secretary of the 
Board (or to the Inspector General for records in a system of records 
maintained by the OIG) in an envelope clearly marked ``Privacy Act 
Amendment Request.''
    (2) Your request for amendment of a record must--
    (i) Identify the system of records containing the record for which 
amendment is requested;
    (ii) Specify the portion of that record requested to be amended; 
and
    (iii) Describe the nature of and reasons for each requested 
amendment.
    (3) We will require you to verify your identity under the 
procedures set forth in Sec.  261a.5(c) of this part, unless you have 
already done so in a related request for access or amendment.
    (b) Burden of proof. Your request for amendment of a record must 
tell us why you believe the record is not accurate, relevant, timely, 
or complete. You have the burden of proof for demonstrating the 
appropriateness of the requested amendment, and you must provide 
relevant and convincing evidence in support of your request.


Sec.  261a.9  Board review of request for amendment of record.

    (a) Time limits. We will acknowledge your request for amendment of 
your record within 10 business days after we receive your request. In 
the acknowledgment, we may request additional information necessary for 
a determination on the request for amendment. We will make a 
determination on a request to amend a record promptly.
    (b) Contents of response to request for amendment. When we respond 
to a request for amendment, we will tell you whether your request is 
granted or denied. If we deny the request, in whole or in part, we will 
tell you--
    (1) Why we denied the request (or portion of the request);
    (2) That you have a right to appeal; and
    (3) How to file an appeal.


Sec.  261a.10  Appeal of adverse determination of request for access or 
amendment.

    (a) Appeal. You may appeal a denial of a request made pursuant to 
Sec.  261a.5 or Sec.  261a.8 of this part within 10 business days after 
we notify you that we denied your request. Your appeal must--
    (1) Be made in writing to the Secretary of the Board, with the 
words ``PRIVACY ACT APPEAL'' written prominently on the first page;
    (2) Specify the background of the request; and
    (3) Provide reasons why you believe the initial denial is in error.
    (b) Determination. We will make a determination on your appeal 
within 30 business days from the day we receive it, unless we extend 
the time for good cause.
    (1) If we grant your appeal regarding a request for amendment, we 
will take the necessary steps to amend your record, and, when 
appropriate and possible, notify prior recipients of the record of our 
action.
    (2) If we deny your appeal, we will inform you of such 
determination, tell you our reasons for the denial, and tell you about 
your right to file a statement of disagreement and your right to have a 
court review our decision.

[[Page 25597]]

    (c) Statement of disagreement. (1) If we deny your appeal regarding 
a request for amendment, you may file a concise statement of 
disagreement with the denial. We will maintain your statement with the 
record you sought to amend, and any disclosure of the record will 
include a copy of your statement of disagreement.
    (2) When practicable and appropriate, we will provide a copy of the 
statement of disagreement to any prior recipients of the record.

Subpart C--Disclosure of Records


Sec.  261a.11  Restrictions on disclosure.

    We will not disclose any record about you contained in a system of 
records to any person or agency without your prior written consent 
unless the disclosure is authorized by 5 U.S.C. 552a(b).


Sec.  261a.12  Exempt Records.

    (a) Information compiled for civil action. This regulation does not 
permit you to have access to any information compiled in reasonable 
anticipation of a civil action or proceeding.
    (b) Law enforcement information. Pursuant to 5 U.S.C. 552a(k)(2), 
we have determined that it is necessary to exempt the systems of 
records listed below from the requirements of the Privacy Act 
concerning access to records, accountings of disclosures of records, 
maintenance of only relevant and necessary information in files, and 
certain publication provisions, respectively, 5 U.S.C. 552a(c)(3), (d), 
(e)(1), (e)(4)(G), (H) and (I), and (f), and Sec. Sec.  261a.5, 261a.7, 
and 261a.8 of this part. The exemption applies only to the extent that 
a system of records contains investigatory materials compiled for law 
enforcement purposes.
    (1) BGFRS-1 Recruiting and Placement Records.
    (2) BGFRS 2 Personnel Security Systems.
    (3) BGFRS 4 General Personnel Records.
    (4) BGFRS 5 EEO Discrimination Complaint File.
    (5) BGFRS 18 Consumer Complaint Information.
    (6) BGFRS 21 Supervisory Enforcement Actions and Special 
Examinations Tracking System.
    (7) BGFRS 31 Protective Information System.
    (8) BGFRS 32 Visitor Registration System.
    (9) BGFRS 36 Federal Reserve Application Name Check System.
    (10) BGFRS/OIG 1 OIG Investigative Records.
    (c) Confidential references. Pursuant to 5 U.S.C. 552a(k)(5), we 
have determined that it is necessary to exempt the systems of records 
listed below from the requirements of the Privacy Act concerning access 
to records, accountings of disclosures of records, maintenance of only 
relevant and necessary information in files, and certain publication 
provisions, respectively, 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), 
(H) and (I), and (f), and Sec. Sec.  261a.5, 261a.7, and 261a.8 of this 
part. The exemption applies only to the extent that a system of records 
contains investigatory material compiled to determine an individual's 
suitability, eligibility, and qualifications for Board employment or 
access to classified information, and the disclosure of such material 
would reveal the identity of a source who furnished information to the 
Board under a promise of confidentiality.
    (1) BGFRS-1 Recruiting and Placement Records.
    (2) BGFRS-2 Personnel Security Systems.
    (3) BGFRS-4 General Personnel Records.
    (4) BGFRS-10 General Files on Board Members.
    (5) BGFRS-11 Official General Files.
    (6) BGFRS-13 Federal Reserve System Bank Supervision Staff 
Qualifications.
    (7) BGFRS-14 General File on Federal Reserve Bank and Branch 
Directors.
    (8) BGFRS-25 Multi-Rater Feedback Records.
    (9) BGFRS/OIG-1 OIG Investigative Records.
    (10) BGFRS/OIG-2 OIG Personnel Records.
    (d) Criminal law enforcement information. Pursuant to 5 saU.S.C. 
552a(j)(2), we have determined that the OIG Investigative Records 
(BGFRS/OIG-1) are exempt from the Privacy Act, except the provisions 
regarding disclosure, the requirement to keep an accounting, certain 
publication requirements, certain requirements regarding the proper 
maintenance of systems of records, and the criminal penalties for 
violation of the Privacy Act, respectively, 5 U.S.C. 552a(b), (c)(1), 
and (2), (e)(4)(A) through (F), (e)(6), (e)(7), (e)(9), (e)(10), 
(e)(11) and (i).

    By order of the Board of Governors of the Federal Reserve 
System, April 30, 2008.
 Jennifer J. Johnson,
Secretary of the Board.
 [FR Doc. E8-9927 Filed 5-6-08; 8:45 am]
BILLING CODE 6210-01-P