Privacy Act Policies and Procedures, 93857-93861 [2016-30495]

Agencies

• Office of the United States Trade Representative

[Federal Register Volume 81, Number 246 (Thursday, December 22, 2016)]
[Proposed Rules]
[Pages 93857-93861]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-30495]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF THE UNITED STATES TRADE REPRESENTATIVE

15 CFR Parts 2004 and 2005

[Docket Number USTR-2016-0027]
RIN 0350-AA09


Privacy Act Policies and Procedures

AGENCY: Office of the United States Trade Representative.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: As part of a comprehensive review of agency practices related 
to the disclosure of records and information, the Office of the United 
States Trade Representative (USTR) is updating both its systems of 
records and implementing rule under the Privacy Act of 1974 (Privacy 
Act). This proposed rule describes how individuals can find out if a 
USTR system of records contains information about them and, if so, how 
to access or amend a record. The proposed rule would move the Privacy 
Act regulation from part 2005 into a new subpart C to part 2004. USTR 
previously renamed and reorganized part 2004 to include all of the 
rules governing disclosure of USTR records and information. Elsewhere 
in this issue of the Federal Register, USTR is publishing a notice 
concerning updates to its Privacy Act systems of records.

DATES: We must receive your written comments on or before January 23, 
2017.

ADDRESSES: You should submit written comments through the Federal 
eRulemaking Portal: https://www.regulations.gov. The docket number for 
this rulemaking is USTR-2016-0027. USTR invites comments on all aspects 
of the proposed rule, and will revise the language as appropriate after 
taking all timely comments into consideration. Copies of all comments 
will be available for public viewing at www.regulations.gov upon 
completion of processing. You can view a submission by entering the 
docket number USTR-2016-0027 in the search field at https://www.regulations.gov. We will post comments without change and will 
include any personal information you provide, such as your name, 
mailing address, email address, and telephone number.

FOR FURTHER INFORMATION CONTACT: Janice Kaye, Monique Ricker or Melissa 
Keppel, Office of General Counsel, Office of the US Trade 
Representative, Anacostia Naval Annex, Building 410/Door 123, 250 
Murray Lane SW., Washington DC 20509, jkaye@ustr.eop.gov; 
mricker@ustr.eop.gov; mkeppel@ustr.eop.gov; 202-395-3150.

[[Page 93858]]


SUPPLEMENTARY INFORMATION: 

I. Background

    USTR has undertaken a comprehensive review of agency practices 
related to the collection, use, protection and disclosure of USTR 
records and information. As a result of that review, USTR is updating 
both its Privacy Act systems of records and implementing rule. The 
Privacy Act, 5 U.S.C. 552a, balances the Federal Government's need to 
maintain information about individuals while protecting individuals 
against unwarranted invasions of privacy stemming from Federal 
agencies' collection, maintenance, use, security and disclosure of 
personal information about them that is contained in systems of 
records. The Privacy Act requires each Federal agency to publish 
regulations describing its Privacy Act procedures and any system of 
records it exempts from provisions of the Privacy Act, including the 
reasons for the exemption.
    USTR's current Privacy Act rule, codified at 15 CFR part 2005, was 
last revised in 1975. See 40 FR 48331, Oct. 14, 1975. Due to the 
passage of time, we are completely rewriting and updating the rule. We 
are reserving part 2005, the rule's current codification, and moving 
the revised rule into a new subpart C to part 2004. Part 2004 includes 
four subparts containing all of the rules governing disclosure of USTR 
records and information.
    Elsewhere in this issue of the Federal Register, USTR is publishing 
a notice updating the agency's Privacy Act systems of records.

II. Section-by-Section Analysis

    Section 2004.20--Definitions: This section sets forth definitions 
of select terms used in this subpart.
    Section 2004.21--Purpose and scope: This section describes the 
purpose of the regulation, which is to implement the Privacy Act, and 
explains general policies and procedures for individuals requesting 
access to records, requesting amendments or corrections to records, and 
requesting an accounting of disclosures of records.
    Section 2004.22--How to make a Privacy Act request: This section 
explains what an individual must do to submit a valid request to USTR 
for access to records, to amend or correct records, or for an 
accounting of disclosures of records. It also describes the information 
an individual must provide so USTR can identify the records sought and 
determine whether the request can be granted.
    Section 2004.23--How USTR will respond to a Privacy Act request: 
This section describes the period of time within which USTR will 
respond to requests. It also explains that USTR will grant or deny 
requests in writing, provide reasons if a request is denied in whole or 
in part, and explain the right of appeal.
    Section 2004.24--What requesters can do if they are dissatisfied 
with USTR's response to a Privacy Act request: This section describes 
when and how an individual may appeal a determination on a Privacy Act 
request and how and within what period of time USTR will make a 
determination on an appeal.
    Section 2004.25--Fees: This section explains that requesters are 
required to pay fees for the duplication of requested records.
    Section 2004.26--Exemptions: This section explains that certain 
exemptions from the Privacy Act exist, explains how those exemptions 
are made effective, what the effect of an exemption is, and how to 
determine whether an exemption applies.
    Section 2004.27--How records are secured: This section explains how 
we generally protect records under the Privacy Act.
    Section 2004.28--Use and collection of Social Security numbers: 
This section explains that USTR collects Social Security numbers only 
when authorized to do so and describes the conditions under which USTR 
may collect and use Social Security numbers.
    Section 2004.29--USTR employee responsibilities under the Privacy 
Act: This section lists the responsibilities of USTR employees under 
the Privacy Act.

III. Regulatory Flexibility Act

    USTR has considered the impact of the proposed regulation and 
determined that if adopted as a final rule it is not likely to have a 
significant economic impact on a substantial number of small business 
entities because it is applicable only to USTR's internal operations 
and legal obligations. See 5 U.S.C. 601 et seq.

IV. Paperwork Reduction Act

    The proposed rule does not contain any information collection 
requirement that requires the approval of the Office of Management and 
Budget under the Paperwork Reduction Act (44 U.S.C. 3501 et seq.).

List of Subjects

15 CFR Part 2004

    Administrative practice and procedure, Courts, Disclosure, 
Exemptions, Freedom of information, Government employees, Privacy, 
Records, Subpoenas, Testimony.

15 CFR Part 2005

    Privacy.

    For the reasons stated in the preamble, the Office of the United 
States Trade Representative is proposing to amend chapter XX of title 
15 of the Code of Federal Regulations as follows:

PART 2004--DISCLOSURE OF RECORDS AND INFORMATION

0
1. Add subpart C, consisting of Sec. Sec.  2004.20 through 2004.29 to 
read as follows:
Subpart C--Privacy Act Policies and Procedures
Sec.
2004.20 Definitions.
2004.21 Purpose and scope.
2004.22 How do I make a Privacy Act request?
2004.23 How will USTR respond to my Privacy Act request?
2004.24 What can I do if I am dissatisfied with USTR's response to 
my Privacy Act request?
2004.25 What does it cost to get records under the Privacy Act?
2004.26 Are there any exemptions from the Privacy Act?
2004.27 How are records secured?
2004.28 Use and collection of Social Security numbers.
2004.29 USTR employee responsibilities under the Privacy Act.

    Authority:  5 U.S.C. 552a; 19 U.S.C. 2171(e)(3).

Subpart C--Privacy Act Policies and Procedures


Sec.  2004.20   Definitions.

    For purposes of this subpart:
    Access means making a record available to a subject individual.
    Amendment means any correction, addition to or deletion of 
information in a record.
    Individual means a natural person who either is a citizen of the 
United States or an alien lawfully admitted to the United States for 
permanent residence.
    Maintain means to keep or hold and preserve in an existing state, 
and includes the terms collect, use, disseminate and control.
    Privacy Act Office means the USTR officials who are authorized to 
respond to requests and to process requests for amendment of records 
USTR maintains under the Privacy Act.
    Record means any item, collection or grouping of information about 
an individual that USTR maintains within a system of records and 
contains the individual's name or the identifying

[[Page 93859]]

number, symbol or other identifying particular assigned to the 
individual, such as a finger or voice print or photograph.
    System of records means a group of records USTR maintains or 
controls from which information is retrieved by the name of an 
individual or by some identifying number, symbol or other identifying 
particular assigned to the individual. USTR publishes notices in the 
Federal Register announcing the creation, deletion or amendment of its 
systems of records. You can find a description of our systems of 
records on the USTR Web site: www.ustr.gov.


Sec.  2004.21   Purpose and scope.

    (a) This subpart implements the Privacy Act, 5 U.S.C. 552a, a 
Federal law that requires Federal agencies to protect private 
information about individuals that the agencies collect or maintain. It 
establishes USTR's rules for access to records in systems of records we 
maintain that are retrieved by an individual's name or another personal 
identifier. It describes the procedures by which individuals may 
request access to records, request amendment or correction of those 
records, and request an accounting of disclosures of those records by 
USTR. Whenever it is appropriate to do so, USTR automatically processes 
a Privacy Act request for access to records under both the Privacy Act 
and the FOIA, following the rules contained in this subpart and subpart 
B of part 2004. USTR processes a request under both the Privacy Act and 
the FOIA so you will receive the maximum amount of information 
available to you by law.
    (b) This subpart does not entitle you to any service or to the 
disclosure of any record to which you are not entitled under the 
Privacy Act. It also does not, and may not be relied upon to create any 
substantive or procedural right or benefit enforceable against USTR.


Sec.  2004.22   How do I make a Privacy Act request?

    (a) In general. You can make a Privacy Act request on your own 
behalf for records or information about you. You also can make a 
request on behalf of another individual as the parent or guardian of a 
minor, or as the guardian of someone determined by a court to be 
incompetent. You may request access to another individual's record or 
information if you have that individual's written consent, unless other 
conditions of disclosure apply.
    (b) How do I make a request? - (1) Where do I send my written 
request? To make a request for access to a record, you should write 
directly to our Privacy Act Office. Heightened security delays mail 
delivery. To avoid mail delivery delays, we strongly suggest that you 
email your request to PRIVACY@ustr.eop.gov. Our mailing address is: 
Privacy Act Office, Office of the US Trade Representative, Anacostia 
Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington DC 
20509. To make sure that the Privacy Act Office receives your request 
without delay, you should include the notation `Privacy Act Request' in 
the subject line of your email or on the front of your envelope and 
also at the beginning of your request.
    (2) Security concerns. To protect our computer systems, we will not 
open attachments to emailed requests--you must include your request 
within the body of the email. We will not process email attachments.
    (c) What should my request include? You must describe the record 
that you seek in enough detail to enable the Privacy Act Office to 
locate the system of records containing the record with a reasonable 
amount of effort. Include specific information about each record 
sought, such as the time period in which you believe it was compiled, 
the name or identifying number of each system of records in which you 
believe it is kept, and the date, title or name, author, recipient, or 
subject matter of the record. As a general rule, the more specific you 
are about the record that you seek, the more likely we will be able to 
locate it in response to your request.
    (d) How do I request amendment or correction of a record? If you 
are requesting an amendment or correction of a USTR record, you must 
identify each particular record in question and the system of records 
in which the record is located, describe the amendment or correction 
that you seek, and state why you believe that the record is not 
accurate, relevant, timely or complete. You may submit any 
documentation that you think would be helpful, including an annotated 
copy of the record.
    (e) How do I request an accounting of record disclosures? If you 
are requesting an accounting of disclosures made by USTR to another 
person, organization or Federal agency, you must identify each 
particular record in question. An accounting generally includes the 
date, nature and purpose of each disclosure, as well as the name and 
address of the person, organization, or Federal agency to which the 
disclosure was made.
    (f) Verification of identity. When making a Privacy Act request, 
you must verify your identity in accordance with these procedures to 
protect your privacy or the privacy of the individual on whose behalf 
you are acting. If you make a Privacy Act request and you do not follow 
these identity verification procedures, USTR cannot process your 
request.
    (1) How do I verify my own identity? You must state your full name, 
current address, and date and place of birth. In order to help identify 
and locate the records, you also may, at your option, include your 
Social Security number. To verify your own identity, you must provide 
an unsworn declaration under 28 U.S.C. 1746, a law that permits 
statements to be made under penalty of perjury. To fulfill this 
requirement, you must include the following statement just before the 
signature on your request:
    I declare under penalty of perjury that the foregoing is true and 
correct. Executed on [date].
    (2) How do I verify parentage or guardianship? If you make a 
request as the parent or guardian of a minor, or as the guardian of 
someone determined by a court to be incompetent, for access records or 
information about that individual, you must establish:
    (i) The identity of the individual who is the subject of the 
record, by stating the individual's name, current address and date and 
place of birth, and, at your option, the Social Security number of the 
individual;
    (ii) Your own identity, as required in paragraph (f)(1) of this 
section;
    (iii) That you are the parent or guardian of the individual, which 
you may prove by providing a copy of the individual's birth certificate 
showing your parentage or a court order establishing your guardianship; 
and
    (iv) That you are acting on behalf of the individual in making the 
request.


Sec.  2004.23   How will USTR respond to my Privacy Act request?

    (a) When will we respond to your request? We will search to 
determine if the requested records exist in a system of records USTR 
owns or controls. The Privacy Act Office will respond to you in writing 
within twenty days after we receive your request, if it meets the 
requirements of this subpart. We may extend the response time in 
unusual circumstances, such as the need to consult with another agency 
about a record or to retrieve a record shipped offsite for storage.
    (b) What will our response include? Our written response will 
include our determination whether to grant or deny your request in 
whole or in part, a brief explanation of the reasons for the 
determination, and the amount of the fee charged, if any, under Sec.  
2004.25. If

[[Page 93860]]

you requested access to records, we will make the records, if any, 
available to you. If you requested amendment or correction of a record, 
the response will describe any amendments or corrections made and 
advise you of your right to obtain a copy of the amended or corrected 
record.
    (c) Adverse determinations--(1) What is an adverse determination? 
An adverse determination is a response to a Privacy Act request that:
    (i) Withholds any requested record in whole or in part;
    (ii) Denies a request to amend or correct a record in whole or in 
part;
    (iii) Declines to provide an accounting of disclosures;
    (iv) Advises that a requested record does not exist or cannot be 
located;
    (v) Finds that what you requested is not a record subject to the 
Privacy Act; or
    (vi) Advises on any disputed fee matter.
    (2) Responses that include an adverse determination. If the Privacy 
Act Office makes an adverse determination with respect to your request, 
our written response will identify the person responsible for the 
adverse determination, that the adverse determination is not a final 
agency action, and that you may appeal the adverse determination under 
Sec.  2004.24.


Sec.  2004.24   What can I do if I am dissatisfied with USTR's response 
to my Privacy Act request?

    (a) What can I appeal? You can appeal any adverse determination in 
writing to our Privacy Act Appeals Committee within thirty calendar 
days after the date of our response. We provide a list of adverse 
determinations in Sec.  2004.23(c).
    (b) How do I make an appeal?--(1) What should I include? You may 
appeal by submitting a written statement giving the reasons why you 
believe the Committee should overturn the adverse determination. Your 
written appeal may include as much or as little related information as 
you wish to provide, as long as it clearly identifies the determination 
(including the request number, if known) that you are appealing.
    (2) Where do I send my appeal? You should mark both your letter and 
the envelope, or the subject of your email, ``Privacy Act Appeal''. To 
avoid mail delivery delays caused by heightened security, we strongly 
suggest that you email any appeal to PRIVACY@ustr.eop.gov. Our mailing 
address is: Privacy Office, Office of the US Trade Representative, 
Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., 
Washington DC 20509.
    (c) Who will decide your appeal? (1) The Privacy Act Appeals 
Committee or designee will act on all appeals under this section.
    (2) We ordinarily will not adjudicate an appeal if the request 
becomes a matter of litigation.
    (3) On receipt of any appeal involving classified information, the 
Privacy Act Appeals Committee must take appropriate action to ensure 
compliance with applicable classification rules.
    (d) When will we respond to your appeal? The Privacy Act Appeals 
Committee will notify you of its appeal decision in writing within 
thirty days from the date it receives an appeal that meets the 
requirements of paragraph (b) of this section. We may extend the 
response time in unusual circumstances, such as the need to consult 
with another agency about a record or to retrieve a record shipped 
offsite for storage.
    (e) What will our response include? The written response will 
include the Committee's determination whether to grant or deny your 
appeal in whole or in part, a brief explanation of the reasons for the 
determination, and information about the Privacy Act provisions for 
court review of the determination.
    (1) Appeals concerning access to records. If your appeal concerns a 
request for access to records and the appeal is granted in whole or in 
part, we will make the records, if any, available to you.
    (2) Appeals concerning amendments or corrections. If your appeal 
concerns amendment or correction of a record, the response will 
describe any amendment or correction made and advise you of your right 
to obtain a copy of the amended or corrected record. We will notify all 
persons, organizations or Federal agencies to which we previously 
disclosed the record, if an accounting of that disclosure was made, 
that the record has been amended or corrected. Whenever the record is 
subsequently disclosed, the record will be disclosed as amended or 
corrected. If our response denies your request for an amendment or 
correction to a record, we will advise you of your right to file a 
statement of disagreement under paragraph (f) of this section.
    (f) Statements of disagreement--(1) What is a statement of 
disagreement? A statement of disagreement is a concise written 
statement in which you clearly identify each part of any record that 
you dispute and explain your reason(s) for disagreeing with our denial 
in whole or in part of your appeal requesting amendment or correction.
    (2) How do I file a statement of disagreement? We must receive your 
statement of disagreement within thirty calendar days of our denial in 
whole or in part of your appeal concerning amendment or correction of a 
record.
    (3) What will we do with your statement of disagreement? We will 
place your statement of disagreement in the system(s) of records in 
which the disputed record is maintained. We also may append a concise 
statement of our reason(s) for denying the request to amend or correct 
the record. Whenever the record is subsequently disclosed, the record 
will be disclosed along with your statement of disagreement and our 
explanation, if any.
    (g) When appeal is required. Before seeking review by a court of an 
adverse determination or denial of a request, you generally first must 
submit a timely administrative appeal under this section.


Sec.  2004.25   What does it cost to get records under the Privacy Act?

    (a) Your request is an agreement to pay fees. We consider your 
Privacy Act request as your agreement to pay all applicable fees unless 
you specify a limit on the amount of fees you agree to pay. We will not 
exceed the specified limit without your written agreement.
    (b) How do we calculate fees? We will charge a fee for duplication 
of a record under the Privacy Act in the same way we charge for 
duplication of records under the FOIA in Sec.  2004.9. There are no 
fees to search for or review records requested under the Privacy Act.


Sec.  2004.26   Are there any exemptions from the Privacy Act?

    (a) What is a Privacy Act exemption? The Privacy Act authorizes 
USTR to exempt records or information in a system of records from some 
of the Privacy Act requirements, if we determine that the exemption is 
necessary. With the exception of certain law enforcement records, we 
will not provide you with an accounting of disclosures or make 
available to you records that are exempt.
    (b) How do I know if the records or information I want are exempt? 
Each USTR system of records notice will advise you if we have 
determined that records or information in records are exempt from 
Privacy Act requirements. If we have claimed an exemption for a system 
of records, the system of records notice will identify the exemption 
and the provisions of the Privacy Act from which the system is exempt.


Sec.  2004.27   How are records secured?

    (a) Controls. USTR must establish administrative and physical 
controls to

[[Page 93861]]

prevent unauthorized access to its systems of records, unauthorized or 
inadvertent disclosure of records, and physical damage to or 
destruction of records. The stringency of these controls corresponds to 
the sensitivity of the records that the controls protect. At a minimum, 
the administrative and physical controls must ensure that:
    (1) Records are protected from public view;
    (2) The area in which records are kept is supervised during 
business hours to prevent unauthorized persons from having access to 
them;
    (3) Records are inaccessible to unauthorized persons outside of 
business hours; and
    (4) Records are not disclosed to unauthorized persons or under 
unauthorized circumstances in either oral or written form.
    (b) Limited access. Access to records is restricted only to 
individuals who require access in order to perform their official 
duties.


Sec.  2004.28   Use and collection of Social Security numbers.

    We will collect Social Security numbers only when it is necessary 
and we are authorized to do so. At least annually, the Privacy Act 
Office will inform employees who are authorized to collect information 
that:
    (a) Individuals may not be denied any right, benefit or privilege 
as a result of refusing to provide their Social Security numbers, 
unless the collection is authorized either by a statute or by a 
regulation issued prior to 1975; and
    (b) They must inform individuals who are asked to provide their 
Social Security numbers:
    (1) If providing a Social Security number is mandatory or 
voluntary;
    (2) If any statutory or regulatory authority authorizes collection 
of a Social Security number; and
    (3) The uses that will be made of the Social Security number.


Sec.  2004.29   Employee responsibilities under the Privacy Act.

    At least annually, the Privacy Act Office will inform employees 
about the provisions of the Privacy Act, including the Act's civil 
liability and criminal penalty provisions. Unless otherwise permitted 
by law, a USTR employee must:
    (a) Collect from individuals only information that is relevant and 
necessary to discharge USTR's responsibilities.
    (b) Collect information about an individual directly from that 
individual whenever practicable.
    (c) Inform each individual from whom information is collected of:
    (1) The legal authority to collect the information and whether 
providing it is mandatory or voluntary;
    (2) The principal purpose for which USTR intends to use the 
information;
    (3) The routine uses, i.e., disclosures of records and information 
contained in a system of records without the consent of the subject of 
the record, USTR may make; and
    (4) The effects on the individual, if any, of not providing the 
information.
    (d) Ensure that the employee's office does not maintain a system of 
records without public notice and notify appropriate officials of the 
existence or development of any system of records that is not the 
subject of a current or planned public notice.
    (e) Maintain all records that are used in making any determination 
about an individual with such accuracy, relevance, timeliness and 
completeness as is reasonably necessary to ensure fairness to the 
individual in the determination.
    (f) Except for disclosures made to an agency or under the FOIA, 
make reasonable efforts, prior to disseminating any record about an 
individual, to ensure that the record is accurate, relevant, timely and 
complete.
    (g) When required by the Privacy Act, maintain an accounting in the 
specified form of all disclosures of records by USTR to persons, 
organizations or agencies.
    (h) Maintain and use records with care to prevent the unauthorized 
or inadvertent disclosure of a record to anyone.
    (i) Notify the appropriate official of any record that contains 
information that the Privacy Act does not permit USTR to maintain.

PART 2005--[REMOVED]

0
3. Remove part 2005.

Janice Kaye,
Chief Counsel for Administrative Law, Office of the U.S. Trade 
Representative.
[FR Doc. 2016-30495 Filed 12-21-16; 8:45 am]
 BILLING CODE 3290-F7-P