Privacy Act Implementation, 33907-33911 [E9-16678]

Download as PDF Federal Register / Vol. 74, No. 133 / Tuesday, July 14, 2009 / Rules and Regulations FEDERAL HOUSING FINANCE BOARD 12 CFR Part 913 FEDERAL HOUSING FINANCE AGENCY 12 CFR Part 1204 DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT Office of Federal Housing Enterprise Oversight 12 CFR Part 1702 RIN 2590–AA07 Privacy Act Implementation AGENCIES: Federal Housing Finance Board; Federal Housing Finance Agency; Office of Federal Housing Enterprise Oversight. ACTION: Final rule. SUMMARY: The Federal Housing Finance Agency (FHFA) is issuing a final regulation to provide the procedures and guidelines under which it will implement the Privacy Act of 1974, as amended. The regulation provides the policies and procedures whereby individuals may obtain notification of whether an FHFA system of records contains information about the individual and, if so, how to access or amend a record under the Privacy Act. Upon adoption of this regulation the Privacy Act regulations of the Federal Housing Finance Board and the Office of Federal Housing Enterprise Oversight, will be removed. DATES: The effective date of this regulation is: July 14, 2009. FOR FURTHER INFORMATION CONTACT: David A. Lee, Senior Agency Official for Privacy, telephone (202) 408–2514 (not a toll free number), Federal Housing Finance Agency, 1625 Eye Street, NW., Washington, DC 20006. The telephone number for the Telecommunications Device for the Deaf is (800) 877–8339. SUPPLEMENTARY INFORMATION: I. Background hsrobinson on PROD1PC76 with RULES A. Privacy Act The Privacy Act of 1974 serves to balance the Federal Government’s need to maintain information about individuals while protecting individuals against unwarranted invasions of privacy stemming from Federal agencies’ collection, maintenance, use, security, and disclosure of personal information about them that is contained in systems of records. VerDate Nov<24>2008 16:05 Jul 13, 2009 Jkt 217001 The Privacy Act requires each Federal agency to publish rules describing its Privacy Act procedures and any system of records it exempts from provisions of the Privacy Act, including the reasons for the exemption. Pursuant to the Privacy Act, FHFA will inform the public of each system of records it maintains by separately publishing notices of each system of records in the Federal Register and also on the FHFA Web site at http:// www.fhfa.gov. The notices will describe the standards for FHFA employees, regarding collection, use, maintenance, or disclosure of records in the system and identify whether information in the system is exempt from provisions of the Privacy Act. The system manager responsible for the system will also be identified and any other contact information will be included. Moreover, notices will inform individuals with detailed information regarding the exercise of their rights, such as what procedures to take to determine whether a system contains a record pertaining to them, how to access those records pertaining to them, how to seek to amend or correct information in a record about them, or, how to contest adverse determinations with respect to such a record. B. Establishment of the Federal Housing Finance Agency The Housing and Economic Recovery Act of 2008 (HERA), Public Law No. 110–289, 122 Stat. 2654, amended the Federal Housing Enterprises Financial Safety and Soundness Act of 1992 (Safety and Soundness Act) (12 U.S.C. 4501 et seq.) and the Federal Home Loan Bank Act (12 U.S.C. 1421–1449) to establish FHFA as an independent agency of the Federal Government 1 to ensure that the Federal National Mortgage Association, the Federal Home Loan Mortgage Corporation (collectively, the Enterprises), and the Federal Home Loan Banks (Banks) (collectively, the regulated entities) are capitalized adequately; foster liquid, efficient, competitive and resilient national housing finance markets; operate in a safe and sound manner; comply with the Safety and Soundness Act and rules, regulations, guidelines and orders issued under the Act, and the respective authorizing statutes of the regulated entities; and carry out their missions through activities authorized and consistent with the Safety and Soundness Act and their authorizing statutes; and, that the activities and Division A, titled the ‘‘Federal Housing Finance Regulatory Reform Act of 2008,’’ Title I, § 1101 of HERA. PO 00000 1 See Frm 00007 Fmt 4700 Sfmt 4700 33907 operations of the regulated entities are consistent with the public interest. The Office of Federal Housing Enterprise Oversight (OFHEO) and the Federal Housing Finance Board (FHFB) will be abolished one year after enactment of HERA. However, the regulated entities continue to operate under regulations promulgated by OFHEO and FHFB; and such regulations are enforceable by the Director of FHFA until such regulations are modified, terminated, set aside, or superseded by the Director.2 Section 1201 of HERA requires the Director, prior to promulgating regulations relating to the Banks, to consider the differences between the Banks and the Enterprises.3 The Director considered the differences between the Banks and the Enterprises as they relate to the above factors and determined that pending the publication of consolidated Systems of Records Notices, FHFA will maintain the Systems of Records established by FHFB and OFHEO, respectively. C. Proposed Rulemaking The FHFA published a proposed Privacy Act Implementation regulation for public comment in the Federal Register, 74 FR 22842 (May 15, 2009). No comments were received. Accordingly, the proposed regulation is adopted as a final regulation with only minor editorial changes. II. Section-by-Section Analysis Section 1204.1 Why Did FHFA Issue This Part? This section describes the purpose of the regulation, which is to implement the Privacy Act, and explains FHFA general policies and procedures for individuals requesting access to records, amending or correcting records, and requesting an accounting of disclosures of records. Section 1204.2 What Do the Terms in this Part Mean? This section sets forth definitions of some terms in this part. Section 1204.3 How Do I Make a Privacy Act Request? This section explains what an individual must do to submit a valid request to FHFA for access to records or information to amend or correct records or for an accounting of disclosures of records. It also describes the information an individual is to provide, 2 See §§ 1302 and 1312 of HERA (12 U.S.C. 4511 note). 3 See § 1313 of the Safety and Soundness Act (12 U.S.C. 4513), as amended. E:\FR\FM\14JYR1.SGM 14JYR1 33908 Federal Register / Vol. 74, No. 133 / Tuesday, July 14, 2009 / Rules and Regulations allowing FHFA to identify the records sought and determine whether the request can be granted. Section 1204.4 How Will FHFA Respond to my Privacy Act Request? This section describes the period of time within which FHFA will respond to requests. It also explains that FHFA will grant or deny requests in writing, provide reasons if a request is denied in whole or in part, and explain the right of appeal. Section 1204.5 What if I am Dissatisfied With the FHFA Response to my Privacy Act Request? This section describes when and how an individual may appeal FHFA determination on a Privacy Act request and how and within what period of time FHFA will make determinations on an appeal. Section 1204.6 What Does It Cost to Get Records Under the Privacy Act? Regulatory Flexibility Act The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that a regulation that has a significant economic impact on a substantial number of small entities, small businesses, or small organizations include an initial regulatory flexibility analysis describing the regulation’s impact on small entities. Such an analysis need not be undertaken if the agency has certified that the regulation does not have a significant economic impact on a substantial number of small entities. 5 U.S.C. 605(b). FHFA has considered the impact of the regulation under the Regulatory Flexibility Act. The General Counsel of FHFA certifies that the regulation is not likely to have a significant economic impact on a substantial number of small business entities because the regulation is applicable to the internal operations and legal obligations of FHFA. List of Subjects This section explains that requesters are expected to pay fees for the duplication of records that they requested. 12 CFR Part 913 Administrative practice and procedure, Archives and records, Freedom of information, Privacy. Section 1204.7 Are There Any Exemptions From the Privacy Act? 12 CFR Part 1204 Accounting, Amendment, Appeals, Correction, Disclosure, Exemptions, Fees, Records, Requests, Privacy Act, Social Security numbers. This section explains that some exemptions from the Privacy Act exist, how they are made effective, what the effect of an exemption is, and how to identify if an exemption applies. Section 1204.8 Secured? How Are Records Authority and Issuance This section explains how FHFA generally protects records under the Privacy Act. This section explains that FHFA collects Social Security numbers only when authorized and describes the conditions under which they may be collected. Section 1204.10 What Are FHFA Employee Responsibilities Under the Privacy Act? Paperwork Reduction Act hsrobinson on PROD1PC76 with RULES ■ The final regulation does not contain any information collection requirement that requires the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). 1. Remove part 913. CHAPTER XII—FEDERAL HOUSING FINANCE AGENCY PART 1204—PRIVACY ACT IMPLEMENTATION Sec. 1204.1 Why did FHFA issue this part? 1204.2 What do the terms in this part mean? 1204.3 How do I make a Privacy Act request? 1204.4 How will FHFA respond to my Privacy Act request? 1204.5 What if I am dissatisfied with the FHFA response to my Privacy Act request? PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 Authority: 5 U.S.C. 552a. § 1204.1 Why did FHFA issue this part? FHFA issued this part to: (a) Implement the Privacy Act of 1974, 5 U.S.C. 552a, as amended (Privacy Act), a Federal law that helps protect private information about individuals that Federal agencies collect or maintain. You should read this part together with the Privacy Act, which provides additional information about records maintained on individuals; (b) Establish rules that apply to all FHFA maintained systems of records retrieved by an individual’s name or other personal identifier; (c) Describe procedures through which you may request access to records, request amendment or correction of those records, and request an accounting of disclosures of those records by FHFA; (d) Inform you, that when it is appropriate to do so, FHFA automatically processes a Privacy Act request for access to records under both the Privacy Act and the FOIA, following the rules contained in this part and part 1202 of this subchapter so you will receive the maximum amount of information available to you by law; and (e) Notify you that this regulation does not entitle you to any service or to the disclosure of any record to which you are not entitled under the Privacy Act. It also does not, and may not be relied upon to create any substantive or procedural right or benefit enforceable against FHFA. § 1204.2 mean? PART 913—[REMOVED] 2. Add part 1204 to subchapter A as set forth below. Regulatory Impacts Jkt 217001 CHAPTER IX—FEDERAL HOUSING FINANCE BOARD ■ This section lists the responsibilities of FHFA employees under the Privacy Act. 16:05 Jul 13, 2009 Accordingly, for the reasons stated in the preamble, under 12 U.S.C. 4526, FHFA amends Title 12 CFR Chapters IX, XII and XVII as follows: ■ Section 1204.9 Does FHFA Collect and Use Social Security Numbers? VerDate Nov<24>2008 12 CFR Part 1702 Privacy. 1204.6 What does it cost to get records under the Privacy Act? 1204.7 Are there any exemptions from the Privacy Act? 1204.8 How are records secured? 1204.9 Does FHFA collect and use Social Security numbers? 1204.10 What are FHFA employee responsibilities under the Privacy Act? What do the terms in this part The following definitions apply to the terms used in this part— Access means making a record available to a subject individual. Amendment means any correction of, addition to, or deletion from a record. Court means any entity conducting a legal proceeding. FHFA means the Federal Housing Finance Agency. FHFB means the Federal Housing Finance Board. FOIA means the Freedom of Information Act, as amended (5 U.S.C. 552). Individual means a natural person who is either a citizen ofhe United States of America or an alien lawfully admitted for permanent residence. E:\FR\FM\14JYR1.SGM 14JYR1 Federal Register / Vol. 74, No. 133 / Tuesday, July 14, 2009 / Rules and Regulations Maintain includes collect, use, disseminate, or control. OFHEO means the Office of Federal Housing Enterprise Oversight. Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 552a). Privacy Act Appeals Officer means the FHFA employee who has been delegated the authority to determine Privacy Act appeals. Privacy Act Officer means the FHFA employee who has primary responsibility for privacy and data protection policy and is authorized to determine Privacy Act requests. Record means any item, collection, or grouping of information about an individual that FHFA maintains within a system of records, including, but not limited to, the individual’s name, an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or photograph. Routine use means the purposes for which records and information contained in a system of records may be disclosed by FHFA without the consent of the subject of the record. Routine uses for records are identified in each System of Records Notice. Routine use does not include disclosure that subsection (b) of the Privacy Act (5 U.S.C. 552a(b)) otherwise permits. Senior Agency Official for Privacy means the FHFA employee delegated the authority and responsibility to oversee and supervise the FHFA privacy program and implementation of the Privacy Act. System of records means a group of records FHFA maintains or controls from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Single records or groups of records that are not retrieved by a personal identifier are not part of a system of records. hsrobinson on PROD1PC76 with RULES § 1204.3 How do I make a Privacy Act request? (a) What is a valid request? In general, a Privacy Act request can be made on your own behalf for records or information about you. You can make a Privacy Act request on behalf of another individual as the parent or guardian of a minor or as the guardian of someone determined by a court to be incompetent. You also may request access to another individual’s record or information if you have that individual’s written consent, unless other conditions of disclosure apply (5 U.S.C. 552a(b)(1) through (12)). (b) How and where do I make a request? Your request must be in VerDate Nov<24>2008 16:05 Jul 13, 2009 Jkt 217001 writing. You may appear in person to submit your written request to the Privacy Act Officer, or send your written request to the Privacy Act Officer by electronic mail, regular mail, or fax. The electronic mail address is: privacy@fhfa.gov. The regular mail address is: Privacy Act Officer, Federal Housing Finance Agency, 1625 Eye Street, NW., Washington, DC 20006. The fax number is: (202) 408–2530. For the quickest possible handling, you should mark your electronic mail, letter, or fax and the subject line, envelope, or fax cover sheet ‘‘Privacy Act Request.’’ (c) What must the request include? You must describe the record that you want in enough detail to enable the Privacy Act Officer to locate the system of records containing it with a reasonable amount of effort. Your request should include specific information about each record sought, such as the time period in which you believe it was compiled, the name or identifying number of each system of records in which you believe it is kept, and the date, title or name, author, recipient, and subject matter of the record. As a general rule, the more specific you are about the record that you want, the more likely FHFA will be able to locate it in response to your request. (d) How do I request amendment or correction of a record? If you are requesting an amendment or correction of any FHFA record, you should identify each particular record in question and the systems of records in which the record is located, describe the amendment or correction that you want, and state why you believe that the record is not accurate, relevant, timely, or complete. You may submit any documentation that you think would be helpful, including an annotated copy of the record. (e) How do I request for an accounting of disclosures? If you are requesting an accounting of disclosures by FHFA of a record to another person, organization, or Federal agency, you should identify each particular record in question. An accounting generally includes the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or Federal agency to which the disclosure was made. (f) Must I verify my identity? When making requests under the Privacy Act, your request must verify your identity to protect your privacy or the privacy of the individual on whose behalf you are acting. If you make a Privacy Act request and you do not follow these identity verification procedures, FHFA cannot process your request. PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 33909 (1) How do I verify my identity? To verify your identity, you must state your full name, current address, and date and place of birth. In order to help identify and locate the records you request, you also may, at your option, include your Social Security number. If you make your request in person and your identity is not known to the Privacy Act Officer, you must provide either two forms of identification with photographs, or one form of identification with a photograph and a properly authenticated birth certificate. If you make your request by mail, your signature either must be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. You may fulfill this requirement by having your signature on your request letter witnessed by a notary or by including the following statement just before the signature on your request letter: ‘‘I declare under penalty of perjury that the foregoing is true and correct. Executed on [date].’’ (2) How do I verify parentage or guardianship? If you make a Privacy Act request as the parent or guardian of a minor or as the guardian of someone determined by a court to be incompetent, with respect to records or information about that individual, you must establish: (i) The identity of the individual who is the subject of the record, by stating the individual’s name, current address, date and place of birth, and, at your option, the Social Security number of the individual; (ii) Your own identity, as required in paragraph (f)(1) of this section; (iii) That you are the parent or guardian of the individual, which you may prove by providing a properly authenticated copy of the individual’s birth certificate showing your parentage or a properly authenticated court order establishing your guardianship; and (iv) That you are acting on behalf of the individual in making the request. § 1204.4 How will FHFA respond to my Privacy Act request? (a) How will FHFA locate the requested records? FHFA will search to determine if requested records exist in the systems of records it owns or controls. You can find descriptions of FHFA systems of records on its Web site at http://www.fhfa.gov, or by linking to http://www.ofheo.gov and http:// www.fhfb.gov, as appropriate. You can also find descriptions of OFHEO and FHFB systems of records that have not been superseded on the FHFA Web site. A description of the systems of records also is available in the ‘‘Privacy Act E:\FR\FM\14JYR1.SGM 14JYR1 hsrobinson on PROD1PC76 with RULES 33910 Federal Register / Vol. 74, No. 133 / Tuesday, July 14, 2009 / Rules and Regulations Issuances’’ compilation published by the Office of the Federal Register of the National Archives and Records Administration. You can access the ‘‘Privacy Act Issuances’’ compilation in most large reference and university libraries or electronically at the Government Printing Office Web site at: http://www.gpoaccess.gov/privacyact/ index.html. You also can request a copy of FHFA systems of records from the Privacy Act Officer. (b) How long does FHFA have to respond? The Privacy Act Officer generally will respond to your request in writing within 20 business days after receiving it, if it meets the requirements of § 1204.3. FHFA may extend the response time in unusual circumstances, such as when consultation is needed with another Federal agency (if that agency is subject to the Privacy Act) about a record or to retrieve a record shipped offsite for storage. If you submit your written request in person, the Privacy Act Officer may disclose records or information to you directly with a written record made of the grant of the request. If you are to be accompanied by another person when accessing your record or any information pertaining to you, FHFA may require your written authorization before permitting access or discussing the record in the presence of the other person. (c) What will the FHFA response include? The written response will include a determination to grant or deny your request in whole or in part, a brief explanation of the reasons for the determination, and the amount of the fee charged, if any, under § 1204.6. If you are granted a request to access a record, FHFA will make the record available to you. If you are granted a request to amend or correct a record, the response will describe any amendments or corrections made and advise you of your right to obtain a copy of the amended or corrected record. (d) What is an adverse determination? An adverse determination is a determination on a Privacy Act request that: (1) Withholds any requested record in whole or in part; (2) Denies a request for an amendment or correction of a record in whole or in part; (3) Declines to provide a requested accounting of disclosures; (4) Advises that a requested record does not exist or cannot be located; (5) Finds what has been requested is not a record subject to the Privacy Act; or (6) Addresses any disputed fee matter. VerDate Nov<24>2008 16:05 Jul 13, 2009 Jkt 217001 (e) What will be stated in a response that includes an adverse determination? If the Privacy Act Officer makes an adverse determination with respect to your request, the written response under this section will state that the Privacy Act Officer is the person responsible for the adverse determination, that the adverse determination is not a final action of FHFA, and that you may appeal the adverse determination under § 1204.5. § 1204.5 What if I am dissatisfied with the FHFA response to my Privacy Act request? (a) May I appeal the response? You may appeal any adverse determination made by the Privacy Act Officer in response to your Privacy Act request. If you wish to seek review by a court of any adverse determination or denial of a request, you first must appeal it under this section. (b) How do I appeal the response? (1) You may appeal by submitting a written appeal stating the reasons you believe the adverse determination should be overturned. FHFA must receive your written appeal within 30 business days of the date of the Privacy Act Officer’s determination under § 1204.4. Your written appeal may include as much or as little related information as you wish, as long as it clearly identifies the determination (including the request number, if known) that you are appealing. (2) You should transmit your written appeal addressed to the Privacy Act Appeals Officer by electronic mail, regular mail, or fax. The electronic mail address is: privacy@fhfa.gov. The regular mail address is: Privacy Act Appeals Officer, Federal Housing Finance Agency, 1700 G Street, NW., Fourth Floor, Washington, DC 20552. The fax number is: (202) 414–6504. For the quickest possible handling, you should mark your electronic mail, letter, or fax and the subject line, envelope, or fax cover sheet ‘‘Privacy Act Appeal.’’ FHFA ordinarily will not act on an appeal if the Privacy Act request becomes a matter of Privacy Act litigation. (c) Who has the authority to grant or deny appeals? The Privacy Act Appeals Officer is authorized to act on behalf of the Director on all appeals under this section. (d) When will FHFA respond to my appeal? FHFA generally will respond to you in writing within 30 business days of receipt of an appeal that meets the requirements of paragraph (b) of this section, unless for good cause shown, the Director extends the response time. (e) What will the FHFA response include? The written response will PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 include the determination of the Privacy Act Appeals Officer; whether to grant or deny your appeal in whole or in part, a brief explanation of the reasons for the determination, and information about the Privacy Act provisions for court review of the determination. (1) If your appeal concerns a request for access to records or information and the appeal determination grants your access, the records or information, if any, will be made available to you. (2)(i) If your appeal concerns an amendment or correction of a record and the appeal determination grants your request for an amendment or correction, the response will describe any amendment or correction made to the record and advise you of your right to obtain a copy of the amended or corrected record under this part. FHFA will notify all persons, organizations, or Federal agencies to which it previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. Whenever the record is subsequently disclosed, the record will be disclosed as amended or corrected. (ii) If the response to your appeal denies your request for an amendment or correction to a record, the response will advise you of your right to file a Statement of Disagreement under paragraph (f) of this section. (f) What is a Statement of Disagreement? (1) A Statement of Disagreement is a concise written statement in which you clearly identify each part of any record that you dispute and explain your reason(s) for disagreeing with the Privacy Act Appeals Officer’s denial in whole or in part of your appeal requesting amendment or correction. Your Statement of Disagreement must be received by the Privacy Act Officer within 30 business days of the Privacy Act Appeals Officer’s denial in whole or in part of your appeal concerning amendment or correction of a record. FHFA will place your Statement of Disagreement in the system(s) of records in which the disputed record is maintained. FHFA also may append a concise statement of its reason(s) for denying the request for an amendment or correction of the record. (2) FHFA will notify all persons, organizations, or Federal agencies to which it previously disclosed the disputed record, if an accounting of that disclosure was made, that the record is disputed and provide your Statement of Disagreement and the FHFA concise statement, if any. Whenever the disputed record is subsequently disclosed, a copy of your Statement of E:\FR\FM\14JYR1.SGM 14JYR1 Federal Register / Vol. 74, No. 133 / Tuesday, July 14, 2009 / Rules and Regulations (a) Must I agree to pay fees? Your Privacy Act request is your agreement to pay all applicable fees, unless you specify a limit on the amount of fees you agree to pay. FHFA will not exceed the specified limit without your written agreement. (b) How does FHFA calculate fees? FHFA will charge a fee for duplication of a record under the Privacy Act in the same way it charges for duplication of records under FOIA (5 U.S.C. 552) in 12 CFR 1202.11. There are no fees to search for or review records. (1) Records are protected from public view; (2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them; (3) Records are inaccessible to unauthorized persons outside of business hours; and (4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form. (b) Is access to records restricted? Access to records is restricted only to authorized employees who require access in order to perform their official duties. § 1204.7 Are there any exemptions from the Privacy Act? § 1204.9 Does FHFA collect and use Social Security numbers? Disagreement and the FHFA concise statement, if any, will also be disclosed. § 1204.6 What does it cost to get records under the Privacy Act? (a) What is a Privacy Act exemption? The Privacy Act allows the Director to exempt records or information in a system of records from some of the Privacy Act requirements, if the Director determines that the exemption is necessary. (b) How do I know if the records or information I want are exempt? (1) Each notice of a system of records will advise you if the Director has determined records or information in records are exempt from Privacy Act requirements. If the Director has claimed an exemption for a system of records, the System of Records Notice will identify the exemption and the provisions of the Privacy Act from which the system is exempt. (2) Until superseded by FHFA Systems of Records, the following OFHEO and FHFB Systems of Records are, under 5 U.S.C. 552a(k)(2) or (k)(5), exempt from the Privacy Act requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f): (i) OFHEO–11 Litigation and Enforcement Information System; (ii) FHFB–5 Agency Personnel Investigative Records; and (iii) FHFB–6 Office of Inspector General Audit and Investigative Records. hsrobinson on PROD1PC76 with RULES § 1204.8 How are records secured? (a) What controls must FHFA have in place? Each FHFA office must establish administrative and physical controls to prevent unauthorized access to its systems of records, unauthorized or inadvertent disclosure of records, and physical damage to or destruction of records. The stringency of these controls should correspond to the sensitivity of the records that the controls protect. At a minimum, the administrative and physical controls must ensure that: VerDate Nov<24>2008 16:05 Jul 13, 2009 Jkt 217001 FHFA collects Social Security numbers only when it is necessary and authorized. At least annually, the Privacy Act Officer or the Senior Agency Official for Privacy will inform employees who are authorized to collect information that: (a) Individuals may not be denied any right, benefit, or privilege as a result of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and (b) They must inform individuals who are asked to provide their Social Security numbers: (1) If providing a Social Security number is mandatory or voluntary; (2) If any statutory or regulatory authority authorizes collection of a Social Security number; and (3) The uses that will be made of the Social Security number. § 1204.10 What are FHFA employee responsibilities under the Privacy Act? At least annually, the Privacy Act Officer or the Senior Agency Official for Privacy will inform employees about the provisions of the Privacy Act, including the Privacy Act’s civil liability and criminal penalty provisions. Unless otherwise permitted by law, an authorized FHFA employee shall: (a) Collect from individuals only information that is relevant and necessary to discharge FHFA responsibilities; (b) Collect information about an individual directly from that individual whenever practicable; (c) Inform each individual from whom information is collected of: (1) The legal authority to collect the information and whether providing it is mandatory or voluntary; (2) The principal purpose for which FHFA intends to use the information; PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 33911 (3) The routine uses FHFA may make of the information; and (4) The effects on the individual, if any, of not providing the information. (d) Ensure that the employee’s office does not maintain a system of records without public notice and notify appropriate officials of the existence or development of any system of records that is not the subject of a current or planned public notice. (e) Maintain all records that are used in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination. (f) Except for disclosures made under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete. (g) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by FHFA to persons, organizations, or Federal agencies. (h) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone. (i) Notify the appropriate official of any record that contains information that the Privacy Act does not permit FHFA to maintain. CHAPTER XVII—OFFICE OF FEDERAL HOUSING ENTERPRISE OVERSIGHT, DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT PART 1702—[REMOVED] ■ 3. Remove part 1702. Dated: July 9, 2009. James B. Lockhart III, Director, Federal Housing Finance Agency. [FR Doc. E9–16678 Filed 7–13–09; 8:45 am] BILLING CODE 8070–01–P SMALL BUSINESS ADMINISTRATION 13 CFR Part 107 RIN 3245–AF92 Small Business Investment Companies—Leverage Eligibility and Portfolio Diversification Requirements AGENCY: U.S. Small Business Administration. ACTION: Interim final rule. SUMMARY: This interim final rule implements certain provisions of the American Recovery and Reinvestment Act of 2009 affecting small business E:\FR\FM\14JYR1.SGM 14JYR1

Agencies

[Federal Register Volume 74, Number 133 (Tuesday, July 14, 2009)]
[Rules and Regulations]
[Pages 33907-33911]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-16678]



[[Page 33907]]

=======================================================================
-----------------------------------------------------------------------

FEDERAL HOUSING FINANCE BOARD

12 CFR Part 913

FEDERAL HOUSING FINANCE AGENCY

12 CFR Part 1204

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

Office of Federal Housing Enterprise Oversight

12 CFR Part 1702

RIN 2590-AA07


Privacy Act Implementation

AGENCIES: Federal Housing Finance Board; Federal Housing Finance 
Agency; Office of Federal Housing Enterprise Oversight.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Housing Finance Agency (FHFA) is issuing a final 
regulation to provide the procedures and guidelines under which it will 
implement the Privacy Act of 1974, as amended. The regulation provides 
the policies and procedures whereby individuals may obtain notification 
of whether an FHFA system of records contains information about the 
individual and, if so, how to access or amend a record under the 
Privacy Act. Upon adoption of this regulation the Privacy Act 
regulations of the Federal Housing Finance Board and the Office of 
Federal Housing Enterprise Oversight, will be removed.

DATES: The effective date of this regulation is: July 14, 2009.

FOR FURTHER INFORMATION CONTACT: David A. Lee, Senior Agency Official 
for Privacy, telephone (202) 408-2514 (not a toll free number), Federal 
Housing Finance Agency, 1625 Eye Street, NW., Washington, DC 20006. The 
telephone number for the Telecommunications Device for the Deaf is 
(800) 877-8339.

SUPPLEMENTARY INFORMATION:

I. Background

A. Privacy Act

    The Privacy Act of 1974 serves to balance the Federal Government's 
need to maintain information about individuals while protecting 
individuals against unwarranted invasions of privacy stemming from 
Federal agencies' collection, maintenance, use, security, and 
disclosure of personal information about them that is contained in 
systems of records.
    The Privacy Act requires each Federal agency to publish rules 
describing its Privacy Act procedures and any system of records it 
exempts from provisions of the Privacy Act, including the reasons for 
the exemption.
    Pursuant to the Privacy Act, FHFA will inform the public of each 
system of records it maintains by separately publishing notices of each 
system of records in the Federal Register and also on the FHFA Web site 
at http://www.fhfa.gov. The notices will describe the standards for 
FHFA employees, regarding collection, use, maintenance, or disclosure 
of records in the system and identify whether information in the system 
is exempt from provisions of the Privacy Act. The system manager 
responsible for the system will also be identified and any other 
contact information will be included. Moreover, notices will inform 
individuals with detailed information regarding the exercise of their 
rights, such as what procedures to take to determine whether a system 
contains a record pertaining to them, how to access those records 
pertaining to them, how to seek to amend or correct information in a 
record about them, or, how to contest adverse determinations with 
respect to such a record.

B. Establishment of the Federal Housing Finance Agency

    The Housing and Economic Recovery Act of 2008 (HERA), Public Law 
No. 110-289, 122 Stat. 2654, amended the Federal Housing Enterprises 
Financial Safety and Soundness Act of 1992 (Safety and Soundness Act) 
(12 U.S.C. 4501 et seq.) and the Federal Home Loan Bank Act (12 U.S.C. 
1421-1449) to establish FHFA as an independent agency of the Federal 
Government \1\ to ensure that the Federal National Mortgage 
Association, the Federal Home Loan Mortgage Corporation (collectively, 
the Enterprises), and the Federal Home Loan Banks (Banks) 
(collectively, the regulated entities) are capitalized adequately; 
foster liquid, efficient, competitive and resilient national housing 
finance markets; operate in a safe and sound manner; comply with the 
Safety and Soundness Act and rules, regulations, guidelines and orders 
issued under the Act, and the respective authorizing statutes of the 
regulated entities; and carry out their missions through activities 
authorized and consistent with the Safety and Soundness Act and their 
authorizing statutes; and, that the activities and operations of the 
regulated entities are consistent with the public interest.
---------------------------------------------------------------------------

    \1\ See Division A, titled the ``Federal Housing Finance 
Regulatory Reform Act of 2008,'' Title I, Sec.  1101 of HERA.
---------------------------------------------------------------------------

    The Office of Federal Housing Enterprise Oversight (OFHEO) and the 
Federal Housing Finance Board (FHFB) will be abolished one year after 
enactment of HERA. However, the regulated entities continue to operate 
under regulations promulgated by OFHEO and FHFB; and such regulations 
are enforceable by the Director of FHFA until such regulations are 
modified, terminated, set aside, or superseded by the Director.\2\
---------------------------------------------------------------------------

    \2\ See Sec. Sec.  1302 and 1312 of HERA (12 U.S.C. 4511 note).
---------------------------------------------------------------------------

    Section 1201 of HERA requires the Director, prior to promulgating 
regulations relating to the Banks, to consider the differences between 
the Banks and the Enterprises.\3\ The Director considered the 
differences between the Banks and the Enterprises as they relate to the 
above factors and determined that pending the publication of 
consolidated Systems of Records Notices, FHFA will maintain the Systems 
of Records established by FHFB and OFHEO, respectively.
---------------------------------------------------------------------------

    \3\ See Sec.  1313 of the Safety and Soundness Act (12 U.S.C. 
4513), as amended.
---------------------------------------------------------------------------

C. Proposed Rulemaking

    The FHFA published a proposed Privacy Act Implementation regulation 
for public comment in the Federal Register, 74 FR 22842 (May 15, 2009). 
No comments were received. Accordingly, the proposed regulation is 
adopted as a final regulation with only minor editorial changes.

II. Section-by-Section Analysis

Section 1204.1 Why Did FHFA Issue This Part?

    This section describes the purpose of the regulation, which is to 
implement the Privacy Act, and explains FHFA general policies and 
procedures for individuals requesting access to records, amending or 
correcting records, and requesting an accounting of disclosures of 
records.

Section 1204.2 What Do the Terms in this Part Mean?

    This section sets forth definitions of some terms in this part.

Section 1204.3 How Do I Make a Privacy Act Request?

    This section explains what an individual must do to submit a valid 
request to FHFA for access to records or information to amend or 
correct records or for an accounting of disclosures of records. It also 
describes the information an individual is to provide,

[[Page 33908]]

allowing FHFA to identify the records sought and determine whether the 
request can be granted.

Section 1204.4 How Will FHFA Respond to my Privacy Act Request?

    This section describes the period of time within which FHFA will 
respond to requests. It also explains that FHFA will grant or deny 
requests in writing, provide reasons if a request is denied in whole or 
in part, and explain the right of appeal.

Section 1204.5 What if I am Dissatisfied With the FHFA Response to my 
Privacy Act Request?

    This section describes when and how an individual may appeal FHFA 
determination on a Privacy Act request and how and within what period 
of time FHFA will make determinations on an appeal.

Section 1204.6 What Does It Cost to Get Records Under the Privacy Act?

    This section explains that requesters are expected to pay fees for 
the duplication of records that they requested.

Section 1204.7 Are There Any Exemptions From the Privacy Act?

    This section explains that some exemptions from the Privacy Act 
exist, how they are made effective, what the effect of an exemption is, 
and how to identify if an exemption applies.

Section 1204.8 How Are Records Secured?

    This section explains how FHFA generally protects records under the 
Privacy Act.

Section 1204.9 Does FHFA Collect and Use Social Security Numbers?

    This section explains that FHFA collects Social Security numbers 
only when authorized and describes the conditions under which they may 
be collected.

Section 1204.10 What Are FHFA Employee Responsibilities Under the 
Privacy Act?

    This section lists the responsibilities of FHFA employees under the 
Privacy Act.

Regulatory Impacts

Paperwork Reduction Act

    The final regulation does not contain any information collection 
requirement that requires the approval of the Office of Management and 
Budget under the Paperwork Reduction Act (44 U.S.C. 3501 et seq.).

Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that 
a regulation that has a significant economic impact on a substantial 
number of small entities, small businesses, or small organizations 
include an initial regulatory flexibility analysis describing the 
regulation's impact on small entities. Such an analysis need not be 
undertaken if the agency has certified that the regulation does not 
have a significant economic impact on a substantial number of small 
entities. 5 U.S.C. 605(b). FHFA has considered the impact of the 
regulation under the Regulatory Flexibility Act. The General Counsel of 
FHFA certifies that the regulation is not likely to have a significant 
economic impact on a substantial number of small business entities 
because the regulation is applicable to the internal operations and 
legal obligations of FHFA.

List of Subjects

12 CFR Part 913

    Administrative practice and procedure, Archives and records, 
Freedom of information, Privacy.

12 CFR Part 1204

    Accounting, Amendment, Appeals, Correction, Disclosure, Exemptions, 
Fees, Records, Requests, Privacy Act, Social Security numbers.

12 CFR Part 1702

    Privacy.

Authority and Issuance

0
Accordingly, for the reasons stated in the preamble, under 12 U.S.C. 
4526, FHFA amends Title 12 CFR Chapters IX, XII and XVII as follows:

CHAPTER IX--FEDERAL HOUSING FINANCE BOARD

PART 913--[REMOVED]

0
1. Remove part 913.

CHAPTER XII--FEDERAL HOUSING FINANCE AGENCY

0
2. Add part 1204 to subchapter A as set forth below.

PART 1204--PRIVACY ACT IMPLEMENTATION

Sec.
1204.1 Why did FHFA issue this part?
1204.2 What do the terms in this part mean?
1204.3 How do I make a Privacy Act request?
1204.4 How will FHFA respond to my Privacy Act request?
1204.5 What if I am dissatisfied with the FHFA response to my 
Privacy Act request?
1204.6 What does it cost to get records under the Privacy Act?
1204.7 Are there any exemptions from the Privacy Act?
1204.8 How are records secured?
1204.9 Does FHFA collect and use Social Security numbers?
1204.10 What are FHFA employee responsibilities under the Privacy 
Act?

    Authority: 5 U.S.C. 552a.


Sec.  1204.1  Why did FHFA issue this part?

    FHFA issued this part to:
    (a) Implement the Privacy Act of 1974, 5 U.S.C. 552a, as amended 
(Privacy Act), a Federal law that helps protect private information 
about individuals that Federal agencies collect or maintain. You should 
read this part together with the Privacy Act, which provides additional 
information about records maintained on individuals;
    (b) Establish rules that apply to all FHFA maintained systems of 
records retrieved by an individual's name or other personal identifier;
    (c) Describe procedures through which you may request access to 
records, request amendment or correction of those records, and request 
an accounting of disclosures of those records by FHFA;
    (d) Inform you, that when it is appropriate to do so, FHFA 
automatically processes a Privacy Act request for access to records 
under both the Privacy Act and the FOIA, following the rules contained 
in this part and part 1202 of this subchapter so you will receive the 
maximum amount of information available to you by law; and
    (e) Notify you that this regulation does not entitle you to any 
service or to the disclosure of any record to which you are not 
entitled under the Privacy Act. It also does not, and may not be relied 
upon to create any substantive or procedural right or benefit 
enforceable against FHFA.


Sec.  1204.2  What do the terms in this part mean?

    The following definitions apply to the terms used in this part--
    Access means making a record available to a subject individual.
    Amendment means any correction of, addition to, or deletion from a 
record.
    Court means any entity conducting a legal proceeding.
    FHFA means the Federal Housing Finance Agency.
    FHFB means the Federal Housing Finance Board.
    FOIA means the Freedom of Information Act, as amended (5 U.S.C. 
552).
    Individual means a natural person who is either a citizen ofhe 
United States of America or an alien lawfully admitted for permanent 
residence.

[[Page 33909]]

    Maintain includes collect, use, disseminate, or control.
    OFHEO means the Office of Federal Housing Enterprise Oversight.
    Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 
552a).
    Privacy Act Appeals Officer means the FHFA employee who has been 
delegated the authority to determine Privacy Act appeals.
    Privacy Act Officer means the FHFA employee who has primary 
responsibility for privacy and data protection policy and is authorized 
to determine Privacy Act requests.
    Record means any item, collection, or grouping of information about 
an individual that FHFA maintains within a system of records, 
including, but not limited to, the individual's name, an identifying 
number, symbol, or other identifying particular assigned to the 
individual, such as a finger or voice print or photograph.
    Routine use means the purposes for which records and information 
contained in a system of records may be disclosed by FHFA without the 
consent of the subject of the record. Routine uses for records are 
identified in each System of Records Notice. Routine use does not 
include disclosure that subsection (b) of the Privacy Act (5 U.S.C. 
552a(b)) otherwise permits.
    Senior Agency Official for Privacy means the FHFA employee 
delegated the authority and responsibility to oversee and supervise the 
FHFA privacy program and implementation of the Privacy Act.
    System of records means a group of records FHFA maintains or 
controls from which information is retrieved by the name of an 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual. Single records or groups of 
records that are not retrieved by a personal identifier are not part of 
a system of records.


Sec.  1204.3  How do I make a Privacy Act request?

    (a) What is a valid request? In general, a Privacy Act request can 
be made on your own behalf for records or information about you. You 
can make a Privacy Act request on behalf of another individual as the 
parent or guardian of a minor or as the guardian of someone determined 
by a court to be incompetent. You also may request access to another 
individual's record or information if you have that individual's 
written consent, unless other conditions of disclosure apply (5 U.S.C. 
552a(b)(1) through (12)).
    (b) How and where do I make a request? Your request must be in 
writing. You may appear in person to submit your written request to the 
Privacy Act Officer, or send your written request to the Privacy Act 
Officer by electronic mail, regular mail, or fax. The electronic mail 
address is: privacy@fhfa.gov. The regular mail address is: Privacy Act 
Officer, Federal Housing Finance Agency, 1625 Eye Street, NW., 
Washington, DC 20006. The fax number is: (202) 408-2530. For the 
quickest possible handling, you should mark your electronic mail, 
letter, or fax and the subject line, envelope, or fax cover sheet 
``Privacy Act Request.''
    (c) What must the request include? You must describe the record 
that you want in enough detail to enable the Privacy Act Officer to 
locate the system of records containing it with a reasonable amount of 
effort. Your request should include specific information about each 
record sought, such as the time period in which you believe it was 
compiled, the name or identifying number of each system of records in 
which you believe it is kept, and the date, title or name, author, 
recipient, and subject matter of the record. As a general rule, the 
more specific you are about the record that you want, the more likely 
FHFA will be able to locate it in response to your request.
    (d) How do I request amendment or correction of a record? If you 
are requesting an amendment or correction of any FHFA record, you 
should identify each particular record in question and the systems of 
records in which the record is located, describe the amendment or 
correction that you want, and state why you believe that the record is 
not accurate, relevant, timely, or complete. You may submit any 
documentation that you think would be helpful, including an annotated 
copy of the record.
    (e) How do I request for an accounting of disclosures? If you are 
requesting an accounting of disclosures by FHFA of a record to another 
person, organization, or Federal agency, you should identify each 
particular record in question. An accounting generally includes the 
date, nature, and purpose of each disclosure, as well as the name and 
address of the person, organization, or Federal agency to which the 
disclosure was made.
    (f) Must I verify my identity? When making requests under the 
Privacy Act, your request must verify your identity to protect your 
privacy or the privacy of the individual on whose behalf you are 
acting. If you make a Privacy Act request and you do not follow these 
identity verification procedures, FHFA cannot process your request.
    (1) How do I verify my identity? To verify your identity, you must 
state your full name, current address, and date and place of birth. In 
order to help identify and locate the records you request, you also 
may, at your option, include your Social Security number. If you make 
your request in person and your identity is not known to the Privacy 
Act Officer, you must provide either two forms of identification with 
photographs, or one form of identification with a photograph and a 
properly authenticated birth certificate. If you make your request by 
mail, your signature either must be notarized or submitted under 28 
U.S.C. 1746, a law that permits statements to be made under penalty of 
perjury as a substitute for notarization. You may fulfill this 
requirement by having your signature on your request letter witnessed 
by a notary or by including the following statement just before the 
signature on your request letter: ``I declare under penalty of perjury 
that the foregoing is true and correct. Executed on [date].''
    (2) How do I verify parentage or guardianship? If you make a 
Privacy Act request as the parent or guardian of a minor or as the 
guardian of someone determined by a court to be incompetent, with 
respect to records or information about that individual, you must 
establish:
    (i) The identity of the individual who is the subject of the 
record, by stating the individual's name, current address, date and 
place of birth, and, at your option, the Social Security number of the 
individual;
    (ii) Your own identity, as required in paragraph (f)(1) of this 
section;
    (iii) That you are the parent or guardian of the individual, which 
you may prove by providing a properly authenticated copy of the 
individual's birth certificate showing your parentage or a properly 
authenticated court order establishing your guardianship; and
    (iv) That you are acting on behalf of the individual in making the 
request.


Sec.  1204.4  How will FHFA respond to my Privacy Act request?

    (a) How will FHFA locate the requested records? FHFA will search to 
determine if requested records exist in the systems of records it owns 
or controls. You can find descriptions of FHFA systems of records on 
its Web site at http://www.fhfa.gov, or by linking to http://www.ofheo.gov and http://www.fhfb.gov, as appropriate. You can also 
find descriptions of OFHEO and FHFB systems of records that have not 
been superseded on the FHFA Web site. A description of the systems of 
records also is available in the ``Privacy Act

[[Page 33910]]

Issuances'' compilation published by the Office of the Federal Register 
of the National Archives and Records Administration. You can access the 
``Privacy Act Issuances'' compilation in most large reference and 
university libraries or electronically at the Government Printing 
Office Web site at: http://www.gpoaccess.gov/privacyact/index.html. You 
also can request a copy of FHFA systems of records from the Privacy Act 
Officer.
    (b) How long does FHFA have to respond? The Privacy Act Officer 
generally will respond to your request in writing within 20 business 
days after receiving it, if it meets the requirements of Sec.  1204.3. 
FHFA may extend the response time in unusual circumstances, such as 
when consultation is needed with another Federal agency (if that agency 
is subject to the Privacy Act) about a record or to retrieve a record 
shipped offsite for storage. If you submit your written request in 
person, the Privacy Act Officer may disclose records or information to 
you directly with a written record made of the grant of the request. If 
you are to be accompanied by another person when accessing your record 
or any information pertaining to you, FHFA may require your written 
authorization before permitting access or discussing the record in the 
presence of the other person.
    (c) What will the FHFA response include? The written response will 
include a determination to grant or deny your request in whole or in 
part, a brief explanation of the reasons for the determination, and the 
amount of the fee charged, if any, under Sec.  1204.6. If you are 
granted a request to access a record, FHFA will make the record 
available to you. If you are granted a request to amend or correct a 
record, the response will describe any amendments or corrections made 
and advise you of your right to obtain a copy of the amended or 
corrected record.
    (d) What is an adverse determination? An adverse determination is a 
determination on a Privacy Act request that:
    (1) Withholds any requested record in whole or in part;
    (2) Denies a request for an amendment or correction of a record in 
whole or in part;
    (3) Declines to provide a requested accounting of disclosures;
    (4) Advises that a requested record does not exist or cannot be 
located;
    (5) Finds what has been requested is not a record subject to the 
Privacy Act; or
    (6) Addresses any disputed fee matter.
    (e) What will be stated in a response that includes an adverse 
determination? If the Privacy Act Officer makes an adverse 
determination with respect to your request, the written response under 
this section will state that the Privacy Act Officer is the person 
responsible for the adverse determination, that the adverse 
determination is not a final action of FHFA, and that you may appeal 
the adverse determination under Sec.  1204.5.


Sec.  1204.5  What if I am dissatisfied with the FHFA response to my 
Privacy Act request?

    (a) May I appeal the response? You may appeal any adverse 
determination made by the Privacy Act Officer in response to your 
Privacy Act request. If you wish to seek review by a court of any 
adverse determination or denial of a request, you first must appeal it 
under this section.
    (b) How do I appeal the response? (1) You may appeal by submitting 
a written appeal stating the reasons you believe the adverse 
determination should be overturned. FHFA must receive your written 
appeal within 30 business days of the date of the Privacy Act Officer's 
determination under Sec.  1204.4. Your written appeal may include as 
much or as little related information as you wish, as long as it 
clearly identifies the determination (including the request number, if 
known) that you are appealing.
    (2) You should transmit your written appeal addressed to the 
Privacy Act Appeals Officer by electronic mail, regular mail, or fax. 
The electronic mail address is: privacy@fhfa.gov. The regular mail 
address is: Privacy Act Appeals Officer, Federal Housing Finance 
Agency, 1700 G Street, NW., Fourth Floor, Washington, DC 20552. The fax 
number is: (202) 414-6504. For the quickest possible handling, you 
should mark your electronic mail, letter, or fax and the subject line, 
envelope, or fax cover sheet ``Privacy Act Appeal.'' FHFA ordinarily 
will not act on an appeal if the Privacy Act request becomes a matter 
of Privacy Act litigation.
    (c) Who has the authority to grant or deny appeals? The Privacy Act 
Appeals Officer is authorized to act on behalf of the Director on all 
appeals under this section.
    (d) When will FHFA respond to my appeal? FHFA generally will 
respond to you in writing within 30 business days of receipt of an 
appeal that meets the requirements of paragraph (b) of this section, 
unless for good cause shown, the Director extends the response time.
    (e) What will the FHFA response include? The written response will 
include the determination of the Privacy Act Appeals Officer; whether 
to grant or deny your appeal in whole or in part, a brief explanation 
of the reasons for the determination, and information about the Privacy 
Act provisions for court review of the determination.
    (1) If your appeal concerns a request for access to records or 
information and the appeal determination grants your access, the 
records or information, if any, will be made available to you.
    (2)(i) If your appeal concerns an amendment or correction of a 
record and the appeal determination grants your request for an 
amendment or correction, the response will describe any amendment or 
correction made to the record and advise you of your right to obtain a 
copy of the amended or corrected record under this part. FHFA will 
notify all persons, organizations, or Federal agencies to which it 
previously disclosed the record, if an accounting of that disclosure 
was made, that the record has been amended or corrected. Whenever the 
record is subsequently disclosed, the record will be disclosed as 
amended or corrected.
    (ii) If the response to your appeal denies your request for an 
amendment or correction to a record, the response will advise you of 
your right to file a Statement of Disagreement under paragraph (f) of 
this section.
    (f) What is a Statement of Disagreement? (1) A Statement of 
Disagreement is a concise written statement in which you clearly 
identify each part of any record that you dispute and explain your 
reason(s) for disagreeing with the Privacy Act Appeals Officer's denial 
in whole or in part of your appeal requesting amendment or correction. 
Your Statement of Disagreement must be received by the Privacy Act 
Officer within 30 business days of the Privacy Act Appeals Officer's 
denial in whole or in part of your appeal concerning amendment or 
correction of a record. FHFA will place your Statement of Disagreement 
in the system(s) of records in which the disputed record is maintained. 
FHFA also may append a concise statement of its reason(s) for denying 
the request for an amendment or correction of the record.
    (2) FHFA will notify all persons, organizations, or Federal 
agencies to which it previously disclosed the disputed record, if an 
accounting of that disclosure was made, that the record is disputed and 
provide your Statement of Disagreement and the FHFA concise statement, 
if any. Whenever the disputed record is subsequently disclosed, a copy 
of your Statement of

[[Page 33911]]

Disagreement and the FHFA concise statement, if any, will also be 
disclosed.


Sec.  1204.6  What does it cost to get records under the Privacy Act?

    (a) Must I agree to pay fees? Your Privacy Act request is your 
agreement to pay all applicable fees, unless you specify a limit on the 
amount of fees you agree to pay. FHFA will not exceed the specified 
limit without your written agreement.
    (b) How does FHFA calculate fees? FHFA will charge a fee for 
duplication of a record under the Privacy Act in the same way it 
charges for duplication of records under FOIA (5 U.S.C. 552) in 12 CFR 
1202.11. There are no fees to search for or review records.


Sec.  1204.7  Are there any exemptions from the Privacy Act?

    (a) What is a Privacy Act exemption? The Privacy Act allows the 
Director to exempt records or information in a system of records from 
some of the Privacy Act requirements, if the Director determines that 
the exemption is necessary.
    (b) How do I know if the records or information I want are exempt? 
(1) Each notice of a system of records will advise you if the Director 
has determined records or information in records are exempt from 
Privacy Act requirements. If the Director has claimed an exemption for 
a system of records, the System of Records Notice will identify the 
exemption and the provisions of the Privacy Act from which the system 
is exempt.
    (2) Until superseded by FHFA Systems of Records, the following 
OFHEO and FHFB Systems of Records are, under 5 U.S.C. 552a(k)(2) or 
(k)(5), exempt from the Privacy Act requirements of 5 U.S.C. 
552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f):
    (i) OFHEO-11 Litigation and Enforcement Information System;
    (ii) FHFB-5 Agency Personnel Investigative Records; and
    (iii) FHFB-6 Office of Inspector General Audit and Investigative 
Records.


Sec.  1204.8  How are records secured?

    (a) What controls must FHFA have in place? Each FHFA office must 
establish administrative and physical controls to prevent unauthorized 
access to its systems of records, unauthorized or inadvertent 
disclosure of records, and physical damage to or destruction of 
records. The stringency of these controls should correspond to the 
sensitivity of the records that the controls protect. At a minimum, the 
administrative and physical controls must ensure that:
    (1) Records are protected from public view;
    (2) The area in which records are kept is supervised during 
business hours to prevent unauthorized persons from having access to 
them;
    (3) Records are inaccessible to unauthorized persons outside of 
business hours; and
    (4) Records are not disclosed to unauthorized persons or under 
unauthorized circumstances in either oral or written form.
    (b) Is access to records restricted? Access to records is 
restricted only to authorized employees who require access in order to 
perform their official duties.


Sec.  1204.9  Does FHFA collect and use Social Security numbers?

    FHFA collects Social Security numbers only when it is necessary and 
authorized. At least annually, the Privacy Act Officer or the Senior 
Agency Official for Privacy will inform employees who are authorized to 
collect information that:
    (a) Individuals may not be denied any right, benefit, or privilege 
as a result of refusing to provide their Social Security numbers, 
unless the collection is authorized either by a statute or by a 
regulation issued prior to 1975; and
    (b) They must inform individuals who are asked to provide their 
Social Security numbers:
    (1) If providing a Social Security number is mandatory or 
voluntary;
    (2) If any statutory or regulatory authority authorizes collection 
of a Social Security number; and
    (3) The uses that will be made of the Social Security number.


Sec.  1204.10  What are FHFA employee responsibilities under the 
Privacy Act?

    At least annually, the Privacy Act Officer or the Senior Agency 
Official for Privacy will inform employees about the provisions of the 
Privacy Act, including the Privacy Act's civil liability and criminal 
penalty provisions. Unless otherwise permitted by law, an authorized 
FHFA employee shall:
    (a) Collect from individuals only information that is relevant and 
necessary to discharge FHFA responsibilities;
    (b) Collect information about an individual directly from that 
individual whenever practicable;
    (c) Inform each individual from whom information is collected of:
    (1) The legal authority to collect the information and whether 
providing it is mandatory or voluntary;
    (2) The principal purpose for which FHFA intends to use the 
information;
    (3) The routine uses FHFA may make of the information; and
    (4) The effects on the individual, if any, of not providing the 
information.
    (d) Ensure that the employee's office does not maintain a system of 
records without public notice and notify appropriate officials of the 
existence or development of any system of records that is not the 
subject of a current or planned public notice.
    (e) Maintain all records that are used in making any determination 
about an individual with such accuracy, relevance, timeliness, and 
completeness as is reasonably necessary to ensure fairness to the 
individual in the determination.
    (f) Except for disclosures made under the FOIA, make reasonable 
efforts, prior to disseminating any record about an individual, to 
ensure that the record is accurate, relevant, timely, and complete.
    (g) When required by the Privacy Act, maintain an accounting in the 
specified form of all disclosures of records by FHFA to persons, 
organizations, or Federal agencies.
    (h) Maintain and use records with care to prevent the unauthorized 
or inadvertent disclosure of a record to anyone.
    (i) Notify the appropriate official of any record that contains 
information that the Privacy Act does not permit FHFA to maintain.

CHAPTER XVII--OFFICE OF FEDERAL HOUSING ENTERPRISE OVERSIGHT, 
DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

PART 1702--[REMOVED]

0
3. Remove part 1702.

    Dated: July 9, 2009.
James B. Lockhart III,
Director, Federal Housing Finance Agency.
 [FR Doc. E9-16678 Filed 7-13-09; 8:45 am]
BILLING CODE 8070-01-P