Privacy Act Regulations, 44044-44052 [2017-19996]

Download as PDF 44044 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations (2) Whether any identified commercial interest of the Requester is sufficiently large in comparison with the public interest in disclosure that disclosure is primarily in the commercial interest of the Requester. A Fee Waiver is justified where the public interest standard of paragraph (b) of this section is satisfied and that public interest is greater in magnitude than that of any identified commercial interest in disclosure. The NCPC ordinarily shall presume that a Representative of the News Media satisfies the public interest standard, and the public interest will be the interest primarily served by disclosure to that Requester. Disclosure to data brokers or others who merely compile and market government information for direct economic return shall not be presumed to primarily serve the public interest. (d) Where only some of the Records to be released satisfy the requirements for a Fee Waiver, a Fee Waiver shall be granted for those Records. (e) Requests for a Fee Waiver should address the factors listed in paragraphs (a) through (c) of this section, insofar as they apply to each Request. The NCPC shall exercise its discretion to consider the cost-effectiveness of its investment of administrative resources in this decision-making process in deciding to grant Fee Waivers. § 602.15 Preservation of FOIA records. sradovich on DSKBBY8HB2PROD with RULES2 (a) The NCPC shall preserve all correspondence pertaining to FOIA Requests received and copies or Records provided until disposition or destruction is authorized by the NCPC’s General Records schedule established in accordance with the National Archives and Records Administration (NARA) approved schedule. (b) Materials that are responsive to a FOIA Request shall not be disposed of or destroyed while the Request or a related lawsuit is pending even if the Records would otherwise be authorized for disposition under the NCPC’s General Records Schedule or NARA or other NARA-approved records schedule. Dated: September 14, 2017. Anne R. Schuyler, General Counsel. [FR Doc. 2017–19997 Filed 9–19–17; 8:45 am] BILLING CODE 7502–20–P VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 accounting of disclosures of those Records by the NCPC; the procedures by which an Individual may appeal an 1 CFR Parts 455 and 603 Adverse Determination, and the conduct of a Privacy Impact Assessment. Privacy Act Regulations § 603.2 Definitions. This section defines terms frequently used in the AGENCY: National Capital Planning regulations. The section includes the Commission. five terms defined in the existing ACTION: Final rule. regulations—Individual, Maintain, SUMMARY: The National Capital Planning Record, Routine Use and System of Records. It adds the definitions for the Commission (NCPC or Commission) following terms: Adverse hereby adopts new regulations Determination, E-Government Act of governing NCPC’s implementation of 2002, Information in Identifiable Form the Privacy Act, as amended and the privacy provisions of the E-Government (IIF), Information Technology, Privacy Act Officer (PAO), Privacy Act, Privacy Act of 2002. NCPC must comply with the requirements of the Privacy Act and Impact Assessment (PIA), Record, Requester, Request for Access to a the privacy provisions of the ERecord, Request for Amendment or Government Act of 2002 for records maintained on individuals and personal Correction of a Record, Senior Agency Official for Privacy (SAOP), System of information stored as a hard copy or Records Notice (SORN), and Workday. electronically. § 603.3 Privacy Act program DATES: This rule is effective October 20, responsibilities. This section requires 2017. NCPC to designate a SAOP and a PAO FOR FURTHER INFORMATION CONTACT: and outlines the responsibilities Anne R. Schuyler, General Counsel at associated with both positions. It also 202–482–7223, anne.schuyler@ enumerates the Privacy Act ncpc.gov. responsibilities of other NCPC SUPPLEMENTARY INFORMATION: NCPC personnel. § 603.4 Standards used to Maintain adopted its current Privacy Regulations Records. This section establishes the (1 CFR part 455) in 1977 pursuant to 5 standards NCPC must follow regarding U.S.C. 552a. Since that time, Congress amended the Privacy Act multiple times privacy information. The section including the E-Government Act of 2002 requires NCPC to limit private information to only that necessary to which addressed requirements for achieve the purposes for which it is maintaining electronic privacy records. The regulations update NCPC’s existing collected and stored; to ensure all information collected is accurate, Privacy Regulations to reflect relevant, timely, and complete; and to amendments over time. The Office of collect privacy information regarding an the Federal Register recently assigned NCPC a new chapter of 1 CFR—Chapter Individual’s rights, benefits and privileges under federal programs from VI—to allow NCPC to group all its the Individual to the maximum extent regulations together in one chapter. possible subject to collection from third NCPC eliminates its Privacy parties in certain circumstances. Regulations at 1 CFR part 455 and § 603.5 Notice to Individuals codifies the new Privacy Regulations at supplying information. This section 1 CFR part 603. enumerates the information NCPC must I. Section by Section Analysis of provide Individuals who are asked to NCPC’s Privacy Act Regulations supply information about themselves. § 603.1 Purpose and scope. This The required information enumerated section advises the purpose of the includes the purpose for which NCPC regulations is to implement a privacy intends to use the information; the program consistent with the effects upon an Individual for not requirements of the Privacy Act and the providing the information; and the form privacy related provision of the Eof notice NCPC must supply in response Government Act of 2002. As stated in to an Individual’s provision of the section, NCPC’s privacy program information. § 603.6 System of Records (SOR) extends to all Records maintained by Notice (SORN). This section requires NCPC in a System of Records; the NCPC to publish a notice in the Federal responsibilities of NCPC to safeguard Register describing each SOR 40-days this information; the procedures by before establishing a new or revising an which Individuals may request notification of the existence of a Record existing SOR. The section requires the SORN to include the purpose of the about them, access to Records about them, an amendment to or correction of Records and their location; the types of Individuals contained in the SOR; the the Records about them, and an NATIONAL CAPITAL PLANNING COMMISSION PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 E:\FR\FM\20SER2.SGM 20SER2 sradovich on DSKBBY8HB2PROD with RULES2 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations authority for maintaining the SOR; the purpose or reason why NCPC collects the Records and their intended routine uses; the sources of the Records in the SOR; the policies and practices regarding storage, retrieval, access controls, retention, and disposal of the Records; the identification of the agency official responsible for the SOR; and the procedures for notifying an Individual who requests whether the SOR contains information about him/her. § 603.7 Procedures to safeguard Records. This section describes the procedures utilized by NCPC to safeguard hard copy and computerized records subject to the Privacy Act. The section requires hard copy Records to be stored in a locked room subject to restricted access with external posted warning signs limiting access to authorized personnel and/or stored in a locked container with identical precautions to those used for a locked room. The section requires computerized Records to be maintained subject to the Safeguards recommended by the National Institute of Standards and Technology (NIST). § 603.8 Employee conduct. This section requires employees with duties requiring access to and handling of Records to do so in a manner that protects the integrity, security and confidentiality of the Records. It prohibits employee disclosure of records unless authorized by the rules in this part, permitted by NCPC’s FOIA regulations (1 CFR part 602), or disclosed to the Individual to whom the Record pertains. The section also prohibits destruction or alteration of Records unless required as part of an employee’s regular duties, required by regulations published by the National Archives Record Administration (NARA), or required by a court of law. § 603.9 Government contracts. This section requires contractors operating a System of Records on behalf of NCPC to abide by the requirements of the Privacy Act. It also equires a NCPC employee to oversee and manage the SOR operated by a contractor. § 603.10 Conditions for disclosure. Subject to a list of enumerated exceptions, this section precludes disclosure of a Record contained in a SOR unless prior written consent is obtained from the Individual to whom the record pertains. § 603.11 Accounting of disclosures. This section requires NCPC to prepare an accounting of disclosure when a Record is disclosed to any person or to another agency. The section requires the contents of an accounting to include the date, nature, and purpose of the disclosure VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 and the name and address of the person or agency to whom the disclosure was made. The section also requires Accountings of disclosures to be made available to the Individual about whom the disclosed Record pertains except under limited circumstances. It further requires changes to disclosed Records to be shared with the person or agency to whom the Record was originally disclosed. § 603.12 Requests for notification of the existence of Records. This section advises Individuals how to determine whether a System of Records maintained by NCPC contains Records pertaining to them. It requires Individuals either to contact NCPC in writing or appear at NCPC’s offices by appointment to make the subject request. The section requires the NCPC PAO to respond to a request in writing within 20 Workdays, to include in the response the Reason(s) for the PAO’s determination, and to advise the requester of the right to appeal the decision. § 603.13 Request for access to Records. This section advises Individuals how to access NCPC records about themselves. It requires Individuals to request the right to access Records either in writing or to appear at NCPC’s offices by appointment. The section enumerates the information required to be included in a request, and obligates Individuals to present certain specified identification to access the requested Records. The section also requires the NCPC PAO to respond to a request for access in writing within 20 Workdays, to state in the response the reason for the PAO’s determination, and to advise the Requester of the right to appeal an Adverse Determination. § 603.14 Requests for amendment or correction of Records. This section outlines the process Individuals must follow to amend or correct Records about them that they believe are inaccurate, irrelevant, untimely or incomplete. The section requires a request for amendment or correction to be in writing, include certain specified information, and to be made only if the Individual has previously requested and been granted access to the Record. The section also requires the NCPC PAO to respond to a request for amendment or correction in writing within 20 Workdays, to state the reason for the PAO’s determination in the response, to advise the requester of the right to appeal an Adverse Determination, to ensure the Record is amended or corrected in whole or in part if the PAO approves the request, and to place a notation of a dispute on the Record if the request is denied. PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 44045 § 603.15 Requests for an accounting of Records disclosures. This section outlines the process Individuals must follow to obtain information about disclosures of Records pertaining to them. It requires a request for information about Records disclosed to include certain specified information. The section also requires the NCPC PAO to respond to a request for information about disclosures in writing within 20 Workdays, to include, in the event of a disclosure, the date, nature and purpose of the disclosure, the name and address of the person or agency to whom the disclosure was made. The section further requires the PAO to state the reason for his/her determination and to advise the requester of the right to appeal an Adverse Determination. § 602.16 Appeals of Adverse Determinations. This section describes the process Individuals must follow to appeal an Adverse Determination. As defined in the definition section of the regulations Adverse Determination means a decision to withhold any requested Record in whole or in part; a decision that the requested Record does not exist or cannot be located; a decision that the requested information is not a Record subject to the Privacy Act; a decision that a Record, or part thereof, does not require amendment or correction; a decision to refuse to disclose an accounting of disclosure; and a decision to deny a fee waiver. The term also encompasses a challenge to NCPC’s determination that Records have not been described adequately, that there are no responsive Records, or that an adequate search has been conducted. The section requires an Individual to submit a written appeal to the Chairman of the Commission stating the legal, factual or other basis for the Appeal, and it requires the Chairman to provide a written response within 30 Workdays. The section also requires NCPC to take prompt action to respond affirmatively to the Individual’s original request if the Chairman grants the request and to state the reasons for a denial and the right to appeal the denial to a court of competent jurisdiction. § 603.17 Fees. This section states the fees to be charged for the search for and duplication of Records. It advises fees for duplication shall be those established by NCPC’s FOIA Regulations, and it states there are no fees for the search or review of Records requested by an Individual. § 603.18 Privacy Impact Assessments. This section states when NCPC must conduct a Privacy Impact Assessment (PIA), the contents of a PIA, and the process for approving the PIA. The section requires a PIA to be E:\FR\FM\20SER2.SGM 20SER2 44046 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations conducted before developing or procuring an IT system that collects, maintains or disseminates Information that identifies an Individual (IIF or Information in Identifiable Form) or when NCPC installs a new collection of IIF for 10 or more persons other than employees, or agencies of the federal government. The section also requires a PIA to analyze a number of factors related to the collection, use, owner, storage and manner of securing the IIF, and it requires the PIA to be approved and posted on NCPC’s Web site prior to undertaking the action that required the PIA. II. Summary of and Response to Comments NCPC published a proposed rule addressing revisions to its current Privacy Act Regulations in the Federal Register on August 1, 2017 for a 30-day public comment period. The public comment period closed on August 31, 2017. NCPC received no comments on its proposed Privacy Act Regulations. Consequently, the proposed Privacy Act Regulations are now being advertised as the final Privacy Act Regulations. III. Compliance With Laws and Executive Orders Executive Orders 12866 and 13563 By Memorandum dated October 12, 1993 from Sally Katzen, Administrator, Office of Information and Regulatory Affairs (OIRA) to Heads of Executive Departments and Agencies, and Independent Agencies, OMB rendered the NCPC exempt from the requirements of Executive Order 12866 (See, Appendix A of cited Memorandum). Nonetheless, NCPC endeavors to adhere to the provisions of Executive Orders and developed this rule in a manner consistent with the requirements of Executive Order 13563. sradovich on DSKBBY8HB2PROD with RULES2 Executive Order 13771 By virtue of its exemption from the requirements of EO 12866, NCPC is exempted from this Executive Order. NCPC confirmed this fact with OIRA. Regulatory Flexibility Act As required by the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), the NCPC certifies that the rule will not have a significant economic effect on a substantial number of small entities. Small Business Regulatory Enforcement Fairness Act This is not a major rule under 5 U.S.C. 804(2), the Small Business Regulatory Enforcement Fairness Act. It does not have an annual effect on the economy VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 of $100 million or more; will not cause a major increase in costs for individuals, various levels of governments or various regions; and does not have a significant adverse effect on completion, employment, investment, productivity, innovation or the competitiveness of US enterprises with foreign enterprises. Unfunded Mandates Reform Act (2 U.S.C. 1531 et seq.) A statement regarding the Unfunded Mandates Reform Act is not required. The rule neither imposes an unfunded mandate of more than $100 million per year nor imposes a significant or unique effect on State, local or tribal governments or the private sector. Federalism (Executive Order 13132) In accordance with Executive Order 13132, the rule does not have sufficient federalism implications to warrant the preparation of a Federalism Assessment. The rule does not substantially and directly affect the relationship between the Federal and state governments. Civil Justice Reform (Executive Order 12988) The General Counsel of NCPC has determined that the rule does not unduly burden the judicial system and meets the requirements of Executive Order 12988 3(a) and 3(b)(2). Paperwork Reduction Act The rule does not contain information collection requirements, and it does not require a submission to the Office of Management and Budget under the Paperwork Reduction Act. 9. National Environmental Policy Act The rule is of an administrative nature, and its adoption does not constitute a major federal action significantly affecting the quality of the human environment. NCPC’s adoption of the rule will have minimal or no effect on the environment; impose no significant change to existing environmental conditions; and will have no cumulative environmental impacts. 10. Clarity of the Regulation Executive Order 12866, Executive Order 12988, and the Presidential Memorandum of June 1, 1998 requires the NCPC to write all rules in plain language. NCPC maintains the rule meets this requirement. Those individuals reviewing the rule who believe otherwise should submit specific comments to the addresses noted above recommending revised language for those provision or portions PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 thereof where they believe compliance is lacking. 11. Public Availability of Comments Be advised that personal information such as name, address, phone number, electronic address, or other identifying personal information contained in a comment may be made publically available. Individuals may ask NCPC to withhold the personal information in their comment, but there is no guarantee the agency can do so. List of Subjects in 1 CFR Parts 455 and 603 Privacy For the reasons stated in the preamble, the National Capital Planning Commission amends 1 CFR Chapters IV and VI as follows: CHAPTER IV—MISCELLANEOUS AGENCIES PART 455—[Removed] 1. Under the authority of 40 U.S.C. 8711(a) remove part 455. ■ CHAPTER VI—NATIONAL CAPITAL PLANNING COMMISSION ■ 2. Add part 603 to read as follows: PART 603—PRIVACY ACT REGULATIONS Sec. 603.1 Purpose and scope. 603.2 Definitions. 603.3 Privacy Act program responsibilities. 603.4 Standard used to Maintain Records. 603.5 Notice to Individuals supplying information. 603.6 System of Records Notice or SORN. 603.7 Procedures to safeguard Records. 603.8 Employee conduct. 603.9 Government contracts. 603.10 Conditions of disclosure. 603.11 Accounting for disclosures. 603.12 Requests for notification of the existence of Records. 603.13 Requests for access to Records. 603.14 Requests for Amendment or Correction of Records. 603.15 Requests for Accounting of Record disclosures. 603.16 Appeals of Adverse Determinations. 603.17 Fees. 603.18 Privacy Impact Assessments. Authority: 5 U.S.C. 552a as amended and 44 U.S.C. ch. 36. § 603.1 Purpose and scope. (a) This part contain the rules the National Capital Planning Commission (NCPC) shall follow to implement a privacy program as required by the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act or Act) and the privacy provisions of the E-Government Act of 2002 (44 U.S.C. ch. 36) (E-Government Act). These rules should be read together with the Privacy Act and the E:\FR\FM\20SER2.SGM 20SER2 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations privacy related provisions of the EGovernment Act, which provide additional information respectively about Records maintained on individuals and protections for the privacy of personal information as agencies implement citizen-centered electronic Government. (b) Consistent with the requirements of the Privacy Act, the rules in this part apply to all Records maintained by NCPC in a System of Records; the responsibilities of the NCPC to safeguard this information; the procedures by which Individuals may request notification of the existence of a record, request access to Records about themselves, request an amendment to or correction of those Records, and request an accounting of disclosures of those Records by the NCPC; and the procedures by which an Individual may appeal an Adverse Determination. (c) Consistent with the privacy related requirements of the E-Government Act, the rules in this part also address the conduct of a privacy impact assessment prior to developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form, initiating a new electronic collection of information in identifiable form for 10 or more persons excluding agencies, instrumentalities or employees of the federal government, or changing an existing System that creates new privacy risks. (d) In addition to the rules in this part, the NCPC shall process all Privacy Act Requests for Access to Records in accordance with the Freedom of Information Act (FOIA), 5 U.S.C. 552, and part 602 of this chapter. sradovich on DSKBBY8HB2PROD with RULES2 § 603.2 Definitions. For purposes of this part, the following definitions shall apply: Adverse Determination shall mean a decision to withhold any requested Record in whole or in part; a decision that the requested Record does not exist or cannot be located; a decision that the requested information is not a Record subject to the Privacy Act; a decision that a Record, or part thereof, does not require amendment or correction; a decision to refuse to disclose an accounting of disclosure; and a decision to deny a fee waiver. The term shall also encompass a challenge to NCPC’s determination that Records have not been described adequately, that there are no responsive Records or that an adequate search has been conducted. E-Government Act of 2002 shall mean Public Law 107–347, Dec. 17, 2002, 116 Stat. 2899, the privacy portions of which are set out as a note under section 3501 of title 44. VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 Individual shall mean a citizen of the United States or an alien lawfully admitted for permanent residence. Information in Identifiable Form (IIF) shall mean information in an Information Technology system or an online collection that directly identifies an individual, e.g., name, address, social security number or other identifying number or code, telephone number, email address and the like; or information by which the NCPC intends to identify specific individuals in conjunction with other data elements, e.g., indirect identification that may include a combination of gender, race, birth date, geographic identifiers, and other descriptions. Information Technology (IT) shall mean, as defined in the Clinger Cohen Act (40 U.S.C. 11101(6)), any equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. Maintain shall include maintain, collect, use or disseminate a Record. Privacy Act Officer shall mean the individual within the NCPC charged with responsibility for coordinating and implementing NCPC’s Privacy Act program. Privacy Act or Act shall mean the Privacy Act of 1974, as amended and codified at 5 U.S.C. 552a. Privacy Impact Assessment (PIA) shall mean an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic system; and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. Record shall mean any item, collection, or grouping of information about an Individual that is Maintained by the NCPC, including, but not limited to, an Individual’s education, financial transactions, medical history, and criminal or employment history and that contains a name, or identifying number, symbol, or other identifying particular assigned to the Individual, such as a finger or voice print or photograph. Requester shall mean an Individual who makes a Request for Access to a Record, a Request for Amendment or Correction of a Record, or a Request for Accounting of a Record under the Privacy Act. PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 44047 Request for Access to a Record shall mean a request by an Individual made to the NCPC pursuant to subsection (d)(1) of the Privacy Act to gain access to his/her Records or to any information pertaining to him/her in the system and to permit him/her, or a person of his/her choosing, to review and copy all or any portion thereof. Request for Amendment or Correction of a Record shall mean a request made by an Individual to the NCPC pursuant to subsection (d)(2) of the Privacy Act to amend or correct a Record pertaining to him/her. Routine Use shall mean with respect to disclosure of a Record, the use of such Record for a purpose which is compatible with the purpose for which the Record is collected. Senior Agency Official for Privacy (SAOP) shall mean the individual within NCPC responsible for establishing and overseeing the NCPC’s Privacy Act program. System of Records or System (SOR or Systems) shall mean a group of any Records under the control of the NCPC from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. System of Record Notice (SORN) shall mean a notice published in the Federal Register by the NCPC for each new or revised System of Records intended to solicit public comment on the System prior to implementation. Workday shall mean a regular Federal workday excluding Saturday, Sunday and legal Federal holidays when the federal government is closed. § 603.3 Privacy Act program responsibilities. (a) The NCPC shall designate a Senior Agency Official for Privacy (SAOP) to establish and oversee the NCPC’s Privacy Act Program and ensure compliance with privacy laws, regulations and the NCPC’s privacy policies. Specific responsibilities of the SAOP shall include: (1) Reporting to the Office of Management and Budget (OMB) and Congress on the establishment of or revision to Privacy Act Systems; (2) Reporting periodically to OMB on Privacy Act activities as required by law and OMB; (3) Signing Privacy Act SORNS for publication in the Federal Register; (4) Approving and signing PIAs; and (5) Serving as head of the agency response team when responding to a large-scale information breach. (b) The NCPC shall designate a Privacy Act Officer (PAO) to coordinate E:\FR\FM\20SER2.SGM 20SER2 sradovich on DSKBBY8HB2PROD with RULES2 44048 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations and implement the NCPC’s Privacy Act program. Specific responsibilities of the PAO shall include: (1) Developing, issuing and updating, as necessary, the NCPC’s Privacy Act policies, standards, and procedures; (2) Maintaining Privacy Act program Records and documentation; (3) Responding to Privacy Act Requests for Records and coordinating appeals of Adverse Determinations for Requests for access to Records, Requests for Amendment or Correction of Records, and Requests for accounting for disclosures; (4) Informing Individuals of information disclosures; (5) Working with the NCPC’s Division Directors or designated staff to develop an appropriate form for collection of Privacy Act information and including in the form a Privacy Act statement explaining the purpose for collecting the information, how it will be used, the authority for such collection, its routine uses, and the effect upon the Individual of not providing the requested information; (6) Assisting in the development of new or revised SORNs; (7) Developing SORN reports for OMB and Congress; (8) Submitting new or revised SORNS to the Federal Register for publication; (9) Assisting in the development of computer matching systems; (10) Preparing Privacy Act, Computer Matching, and other reports to OMB as required; and (11) Evaluating PIA to ensure compliance with E-Government Act requirements. (c) Other Privacy related responsibilities shall be shared by the NCPC Division Directors, the NCPC Chief Information Officer (CIO), the NCPC System Developers and Designers, the NCPC Configuration Control Board, the NCPC employees, and the Chairman of the Commission. (1) The NCPC Division Directors shall be responsible for coordinating with the PAO the implementation of the requirements set forth in this part for Systems of Records applicable to their area of management and the preparation of PIA prior to development or procurement of new systems that collect, maintain or disseminate IIF. Specific responsibilities include: (i) Reviewing existing SOR for need, relevance, and purpose for existence, and proposing SOR changes to the PAO as necessary in response to altered circumstances; (ii) Reviewing existing SOR to ensure information is accurate, complete and up to date; (iii) Coordinating with the PAO the preparation of new or revised SORN; VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 (iv) Coordinating with the PAO the development of an appropriate form for collection of Privacy Act information and including in the form a Privacy Act statement explaining the purpose for collecting the information, how it will be used, the authority for such collection, its routine uses, and the effect upon the Individual of not providing the requested information; (v) Collecting information directly from individuals whenever possible; (vii) Assisting the PAO with providing access to Individuals who request information in accordance with the procedures established in §§ 603.12, 603.13, 603.14 and 603.15. (vii) Amending Records if and when appropriate, and working with the PAO to inform recipients of former Records of such amendments; (viii) Ensuring that System information is used only for its stated purpose; (ix) Establishing and overseeing appropriate administrative, technical, and physical safeguards to ensure security and confidentiality of Records; and (x) Working with the SAOP, the PAO and Configuration Control Board (CCB) on SORs, preparing a PIA, if needed, and obtaining SAOP approval for a PIA prior to its publication on the NCPC Web site. (2) The CIO shall be responsible for implementing IT security management to include security for information protected by the Privacy Act and the EGovernment Act of 2002. Specific responsibilities include: (i) Overseeing security policy for privacy data; and (ii) Reviewing PIAs prepared for information security considerations. (3) The NCPC System Developers and Designers shall be responsible for ensuring that the IT system design and specifications conform to privacy standards and requirements and that technical controls are in place for safeguarding personal information from unauthorized access. (4) The NCPC CCB shall, among other responsibilities, verify that a PIA has been prepared prior to approving a request to develop or procure information technology that collects, maintains, or disseminates Information in Identifiable Form. (5) The NCPC employees shall ensure that any personal information they use in the conduct of their official responsibilities is protected in accordance with the rules set forth in this part. (6) The Chairman of the Commission shall be responsible for acting on all appeals of Adverse Determinations. PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 § 603.4 Standards used to Maintain Records. (a) Records Maintained by the NCPC shall contain only such information about an Individual as is relevant and necessary to accomplish a purpose NCPC must accomplish to comply with relevant statutes or Executive Orders of the President. (b) Records Maintained by the NCPC and used to make a determination about an Individual shall be accurate, relevant, timely, and complete to assure a fair determination. (c) Information used by the NCPC in making a determination about an Individual’s rights, benefits, and privileges under federal programs shall be collected, to the greatest extent practicable, directly from the Individual. In deciding whether collection of information about an Individual, as opposed to a third party is practicable, the NCPC shall consider the following: (1) Whether the information sought can only be obtained from a third party; (2) Whether the cost to collect the information from an Individual is unreasonable compared to the cost of collecting the information from a third party; (3) Whether there is a risk of collecting inaccurate information from a third party that could result in a determination adverse to the Individual concerned; (4) Whether the information collected from an Individual requires verification by a third party; and (5) Whether the Individual can verify information collected from third parties. (d) The NCPC shall not Maintain Records describing how an Individual exercises rights guaranteed by the First Amendment to the Constitution unless the maintenance of the Record is expressly authorized by statute or by the Individual about whom the Record is Maintained or pertinent to and within the scope of an authorized law enforcement activity. § 603.5 Notice to Individuals supplying information. (a) Each Individual asked to supply information about himself/herself to be added to a System of Records shall be informed by the NCPC of the basis for requesting the information, its potential use, and the consequences, if any, of not supplying the information. Notice to the Individual shall state at a minimum: (1) The legal authority for NCPC’s solicitation of the information and whether disclosure is mandatory or voluntary; (2) The principal purpose(s) for which the NCPC intends to use the information; E:\FR\FM\20SER2.SGM 20SER2 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations (a) The NCPC shall publish a notice in the Federal Register describing each System of Records 40-days prior to the establishment of a new or revision to an existing System of Records. (b) The SORN shall include: (1) The name and location of the System of Records. The name shall identify the general purpose, and the location shall include whether the system is located on the NCPC’s main server or central files. The physical address of either shall also be included. (2) The categories or types of Individuals on whom NCPC Maintains Records in the System of Records; (3) The categories or types of Records in the System; (4) The statutory or Executive Order authority for Maintenance of the System; (5) The purpose(s) or explanation of why the NCPC collects the particular Records including identification of all internal and routine uses; (6) The policies and practices of the NCPC regarding storage, retrieval, access controls, retention and disposal of Records; (7) The title and business address of the agency official responsible for the identified System of Records; (8) The NCPC procedures for notification to an Individual who requests if a System of Records contains a Record about the Individual; and (9) The NCPC sources of Records in the System. harm, embarrassment, inconvenience, or unfairness to any Individual on whom information is Maintained. (b) Manual Records subject to the Privacy Act shall be maintained by the NCPC in a manner commensurate with the sensitivity of the information contained in the Records. The following minimum safeguards or safeguards affording comparable protection shall apply to manual Systems of Records: (1) The NCPC shall post areas where Records are maintained or regularly used with an appropriate warning sign stating access to the Records shall be limited to authorized persons. The warning shall also advise that the Privacy Act prescribes criminal penalties for unauthorized disclosure of Records subject to the Act. (2) During work hours, the NCPC shall protect areas in which Records are Maintained or regularly used by restricting occupancy of the area to authorized persons or storing the Records in a locked container and room. (3) During non-working hours, access to Records shall be restricted by their storage in a locked storage container and room. (4) Any lock used to secure a room where Records are stored shall not be capable of being disengaged with a master key that opens rooms other than those in which Records are stored. (c) Computerized Records subject to the Privacy Act shall be maintained, at a minimum, subject to the safeguards recommended by the National Institute of Standards and Technology (NIST) Special Publications 800–53, Recommended Security Controls for Federal Information Systems and Organizations as revised from time to time or any superseding guidance offered by NIST or other federal agency charged with the responsibility for providing recommended safeguards for computerized Records subject to the Privacy Act. (d) NCPC shall maintain a System of Records comprised of Office of Personnel Management (OPM) personnel Records in accordance with standards prescribed by OPM and published at 5 CFR 293.106–293.107. § 603.7 § 603.8 (3) The potential routine uses of the information by the NCPC as published in a Systems of Records Notice; and (4) The effects upon the individual, if any, of not providing all or any part of the requested Information to the NCPC. (b) When NCPC collects information on a standard form, the notice to the Individual shall either be provided on the form, on a tear off sheet attached to the form, or on a separate form, whichever is deemed the most practical by the NCPC. (c) NCPC may ask an Individual to acknowledge, in writing, receipt of the notice required by this section. sradovich on DSKBBY8HB2PROD with RULES2 § 603.6 SORN. System of Records Notice or Procedures to safeguard Records. (a) The NCPC shall implement the procedures set forth in this section to insure sufficient administrative, technical and physical safeguards exist to protect the security and confidentiality of Records. The enumerated procedures shall also protect against any anticipated threats or hazards to the security of Records with the potential to cause substantial VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 Employee conduct. (a) Employees with duties requiring access to and handling of Records shall, at all times, take care to protect the integrity, security, and confidentiality of the Records. (b) No employee of the NCPC shall disclose Records unless disclosure is permitted by § 603.10(b), by part 602 of this chapter, or disclosed to the Individual to whom the Record pertains. PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 44049 (c) No employee of the NCPC shall alter or destroy a Record unless such Record or destruction is undertaken in the course of the employee’s regular duties or such alteration or destruction is allowed pursuant to regulations published by the National Archives and Records Administration (NARA) or required by a court of competent jurisdiction. Records shall not be destroyed or disposed of while they are the subject of a pending request, appeal or lawsuit under the Privacy Act. § 603.9 Government contracts. (a) When a contract provides for third party operation of a SOR on behalf of the NCPC to accomplish a NCPC function, the contract shall require that the requirements of the Privacy Act and the rules in this part be applied to such System. (b) The Division Director responsible for the contract shall designate a NCPC employee to oversee and manage the SOR operated by the contractor. § 603.10 Conditions for disclosure. (a) Except as set forth in paragraph (b) of this section, no Record contained in a SOR shall be disclosed by any means of communication to any person, or to another agency, unless prior written consent is obtained from the Individual to whom the Record pertains. (b) The limitations on disclosure contained in paragraph (a) of this section shall not apply when disclosure of a Record is: (1) To employees of the NCPC for use in the performance of their duties; (2) Required by the Freedom of Information Act (FOIA), 5 U.S.C. 555; (3) For a Routine Use as described in a SORN; (4) To the Bureau of Census for statistical purposes, provided that the Record must be transferred in a form that precludes individual identification; (5) To an Individual who provides NCPC adequate written assurance that the Record shall be used solely for statistical or research purposes, provided that the Record must be transferred in a form that precludes Individual identification; (6) To the NARA because the Record warrants permanent retention because of historical or other national value as determined by NARA or to permit NARA to determine whether the Record has such value; (7) To a law enforcement agency for a civil or criminal law enforcement activity, provided that the law enforcement agency must submit a written request to the NCPC specifying the Record(s) sought and the purpose for which they will be used; E:\FR\FM\20SER2.SGM 20SER2 44050 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations (8) To any person upon demonstration of compelling information that an Individual’s health or safety is at stake and provided that upon disclosure, notification is given to the Individual to whom the Record pertains at that Individual’s last known address; (9) To either House of Congress, and any committee or subcommittee thereof, to include joint committees of both houses and any subcommittees thereof, when a Record falls within their jurisdiction; (10) To the Comptroller General, or any of his authorized representatives, to allow the Government Accountability Office to perform its duties; (11) Pursuant to a court order by a court of competent jurisdiction; and (12) To a consumer reporting agency trying to collect a claim of the government as authorized by 31 U.S.C. 3711(e). § 603.11 Accounting of disclosures. (a) Except for disclosures made under §§ 603.10(b)(1)–(2), when a Record is disclosed to any person, or to another agency, NCPC shall prepare an accounting of the disclosure. The accounting shall Record the date, nature, and purpose of the disclosure and the name and address of the person or agency to whom the disclosure was made. The NCPC shall maintain all accountings for a minimum of five years or the life of the Record, whichever is greatest, after the disclosure is made. (b) Except for disclosures under § 603.10(b)(7), accountings of all disclosures shall be made available to the Individual about whom the disclosed Records pertains at his/her request. Such request shall be made in accordance with the requirements of § 603.15. (c) For any disclosure for which an accounting is made, if a subsequent amendment or correction or notation of dispute is made to a Record by the NCPC in accordance with the requirements of § 603.14, the Individual and/or agency to whom the Record was originally disclosed shall be informed. sradovich on DSKBBY8HB2PROD with RULES2 § 603.12 Requests for notification of the existence of Records. (a) An Individual seeking to determine whether a System of Records contains Records pertaining to him/her shall do so by appearing in person at NCPC’s official place of business or by written correspondence to the NCPC PAO. In-person requests shall be by appointment only with the PAO on a Workday during regular office hours. Written requests sent via the U.S. mail shall be directed to the Privacy Act Officer at NCPC’s official address listed VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 at www.ncpc.gov. If sent via email or facsimile, the request shall be directed to the email address or facsimile number indicated on the NCPC Web site. To expedite internal handling of Privacy Act Requests, the words Privacy Act Request shall appear prominently on the envelop or the subject line of an email or facsimile cover sheet. (b) The Request shall state that the Individual is seeking information concerning the existence of Records about himself/herself and shall supply information describing the System where such Records might be maintained as set forth in a System of Record Notice. (c) The NCPC PAO shall notify the Requester in writing within 20 Workdays of the Request whether a System contains Records pertaining to him/her unless the Records were compiled in reasonable anticipation of a civil action or proceeding or the Records are NCPC employee Records under the jurisdiction of the OPM. In both of the later cases the Request shall be denied. If the Request is denied because the Record(s) is/are under the jurisdiction of the OPM, the response shall advise the Requester to contact OPM. If the PAO denies the Request, the response shall state the reason for the denial and advise the Requester of the right to appeal the decision within 60 days of the date of the letter denying the request in accordance with the requirements set forth in § 603.16. § 603.13 Requests for access to Records. (a) An Individual seeking access to Records about himself/herself shall do so by appearing in person at NCPC’s official place of business or by written correspondence to the NCPC Privacy Act Officer. In-person requests shall be by appointment only with the Privacy Act Officer on a Workday during regular office hours. For written requests sent via the U.S. mail, the Request shall be directed to the Privacy Act Officer at NCPC’s official address listed at www.ncpc.gov. If sent via email or facsimile, the request shall be directed to the email address or facsimile number indicated on the NCPC Web site. To expedite internal handling of Privacy Act Requests, the words Privacy Act Request shall appear prominently on the envelop or the subject line of an email or facsimile cover sheet. (b) The Request shall: (1) State the Request is made pursuant to the Privacy Act; (2) Describe the requested Records in sufficient detail to enable their location including, without limitation, the dates the Records were compiled and the name or identifying number of each PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 System of Record in which they are kept as identified in the list of NCPC’s SORNs published on its Web site; and (3) State pursuant to the fee schedule in set forth in § 603.17 a willingness to pay all fees associated with the Privacy Act Request or the maximum fee the Requester is willing to pay. (c) The NCPC shall require identification as follows before releasing Records to an Individual: (1) An Individual Requesting Privacy Act Records in person shall present a valid, photographic form of identification such as a driver’s license, employee identification card, or passport that renders it possible for the PAO to verify that the Individual is the same Individual as contained in the requested Records. (2) An Individual Requesting Privacy Act Records by mail shall state their full name, address and date of birth in their correspondence. The Request must be signed and the signature must either be notarized or submitted with a statement signed and dated as follows: I declare under penalty of perjury that the foregoing facts establishing my identification are true and correct. (d) The PAO shall determine within 20 Workdays whether to grant or deny an Individual’s Request for Access to the requested Record(s) and notify the Individual in writing accordingly. The PAO’s response shall state his/her determination and the reasons therefor. If the Request is denied because the Record(s) is/are under the jurisdiction of the OPM, the response shall advise the Requester to contact OPM. In the case of an Adverse Determination, the written notification shall advise the Individual of his/her right to appeal the Adverse Determination in accordance with the requirements of § 603.16. § 603.14 Requests for Amendment or Correction of Records. (a) An Individual seeking to amend or correct a Record pertaining to him/her that he/she believes to be inaccurate, irrelevant, untimely or incomplete shall submit a written request to the PAO at the address listed on NCPC’s official Web site www.ncpc.gov. If sent via email or facsimile, the Request shall be directed to the email address or facsimile number indicated on the NCPC Web site. To expedite internal handling, the words Privacy Act Request shall appear prominently on the envelop or the subject line of an email or facsimile cover sheet. (b) The Request shall: (1) State the Request is made pursuant to the Privacy Act; (2) Describe the requested Record in sufficient detail to enable its location E:\FR\FM\20SER2.SGM 20SER2 sradovich on DSKBBY8HB2PROD with RULES2 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations including, without limitation, the dates the Records was compiled and the name or identifying number of the System of Record in which the Record is kept as identified in the list of NCPC’s SORNs published on its Web site; (3) State in detail the reasons why the Record, or objectionable portion(s) thereof, is/are not accurate, relevant, timely or complete. (4) Include copies of documents or evidence relied upon in support of the Request for Amendment or Correction; and (5) State specifically, and in detail, the changes sought to the Record, and if the changes include rewriting the Record, or portions thereof, or adding new language, the Individual shall propose specific language to implement the requested changes. (c) A request to Amend or Correct a Record shall be submitted only if the Requester has previously requested and been granted access to the Record and has inspected or been given a copy of the Record. (d) The PAO shall render a decision within 20 Workdays. If the Request for an Amendment or Correction fails to meet the requirements of paragraphs (b)(1)–(5) of this section, the PAO shall advise the Individual of the deficiency and advise what additional information is required to act upon the Request. The timeframe for a decision on the Request shall be tolled (stopped) during the pendency of a request for additional information and shall resume when the additional information is received. If the Requester fails to submit the requested additional information within a reasonable time, the PAO shall reject the Request. (e) The PAO’s decision on a Request for Amendment or Correction shall be in writing and state the basis for the decision. If the Request is denied because the Record(s) is/are under the jurisdiction of the OPM, the response shall advise the Requester to contact OPM. In the event of an Adverse Determination, the written notification shall advise the Individual of his/her right to appeal the Adverse Determination in accordance with the requirements of § 603.16. (f) If the PAO approves the Request for Amendment or Correction, the PAO shall ensure that subject Record is amended or corrected, in whole or in part. If the PAO denies the Request for Amendment or Correction, a notation of dispute shall be noted on the Record. If an accounting of disclosure has been made pursuant to § 603.11, the PAO shall advise all previous recipients of the Record that an amendment or correction or notation of dispute has VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 been made and, if applicable, the substance of the change. § 603.15 Requests for Accounting of Record disclosures. (a) An Individual seeking information regarding an accounting of disclosure of a Record pertaining to him/her made in accordance with § 603.11 shall submit a written request to the PAO at the address listed on NCPC’s official Web site www.ncpc.gov. If sent via email or facsimile, the Request shall be directed to the email address or facsimile number indicated on the NCPC Web site. To expedite internal handling, the words Privacy Act Request shall appear prominently on the envelop or the subject line of an email or facsimile cover sheet. (b) The Request shall: (1) State the Request is made pursuant to the Privacy Act; and (2) Describe the requested Record in sufficient detail to determine whether it is or is not contained in an accounting of disclosure. (c) The NCPC PAO shall notify the Requester in writing within 20 Workdays of the Request and advise if the Record was included in an accounting of disclosure. In the event of a disclosure, the response shall include the date, nature, and purpose of the disclosure and the name and address of the person or agency to whom the disclosure was made. If the Request is denied because the Record(s) is/are under the jurisdiction of the OPM, the response shall advise the Requester to contact OPM. In the event of an Adverse Determination, the written notification shall advise the Individual of his/her right to appeal the Adverse Determination in accordance with the requirements of § 603.16. (a) Except for appeals pursuant to paragraph (d) of this section, an appeal of an Adverse Determination shall be made in writing addressed to the Chairman (Chairman) of the National Capital Planning Commission at the address listed on NCPC’s official Web site www.ncpc.gov. If sent via email or facsimile, the Request shall be directed to the email address or facsimile number indicated on the NCPC Web site. To expedite internal handling, the words Privacy Act Request shall appear prominently on the envelop or the subject line of an email or facsimile cover sheet. An appeal of an Adverse Determination shall be made within 30 Workdays of the date of the decision. (b) An appeal of an Adverse Determination shall include a statement PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 of the legal, factual or other basis for the Requester’s objection to an Adverse Determination; a daytime phone number or email where the Requester can be reached if the Chairman requires additional information or clarification regarding the appeal; copies of the initial request and the PAO’s written response; and for an Adverse Determination regarding a fee waiver, a demonstration of compliance with part 602 of this chapter. (c) The Chairman shall respond to an appeal of an Adverse Determination in writing within 20 Workdays of receipt of the appeal. If the Chairman grants the appeal, the Chairman shall notify the Requester, and the NCPC shall take prompt action to respond affirmatively to the original Request upon receipt of any fees that may be required. If the Chairman denies the appeal, the letter shall state the reason(s) for the denial, a statement that the decision is final, and advise the Requester of the right to seek judicial review of the denial in the District Court of the United States in either the district in which the Requester resides, the district in which the Requester has his/her principal place of business or the District of Columbia. (d) The appeal of an Adverse Determination based on OPM jurisdiction of the Records shall be made to OPM pursuant to 5 CFR 297.306. (e) The NCPC shall not act on an appeal of an Adverse Determination if the underlying Request becomes the subject of litigation. (f) A party seeking court review of an Adverse Determination must first appeal the Adverse Determination under this section. § 603.17 § 603.16 Appeals of Adverse Determinations. 44051 Fees. (a) The NCPC shall charge for the duplication of Records under this subpart in accordance with the schedule of fees set forth in part 602 of this chapter. The NCPC shall not charge duplication fees when the Requester asks to inspect the Records personally but is provided copies at the discretion of the agency. (b) The NCPC shall not charge any fees for the search for or review of Records requested by an Individual. § 603.18 Privacy Impact Assessments. (a) Consistent with the requirements of the E-Government Act and OMB Memorandum M–03–22, the NCPC shall conduct a PIA before: (1) Developing or procuring IT systems or projects that collect, maintain, or disseminate IIF; or E:\FR\FM\20SER2.SGM 20SER2 44052 Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations sradovich on DSKBBY8HB2PROD with RULES2 (2) Installing a new collection of information that will be collected, maintained, or disseminated using IT and includes IIF for 10 or more persons (excluding agencies, instrumentalities or employees of the federal government). (b) The PIA shall be prepared through the coordinated effort of the NCPC’s privacy Officers (SAOP, PAO), Division Directors, CIO, and IT staff. (c) As a general rule, the level of detail and content of a PIA shall be commensurate with the nature of the information to be collected and the size and complexity of the IT system involved. Specifically, a PIA shall analyze and describe: (1) The information to be collected; (2) The reason the information is being collected; VerDate Sep<11>2014 18:44 Sep 19, 2017 Jkt 241001 (3) The intended use for the information; (4) The identity of those with whom the information will be shared; (5) The opportunities Individuals have to decline to provide the information or to consent to particular uses and how to consent; (6) The manner in which the information will be secured; and (7) The extent to which the system of records is being created under the Privacy Act. (d) In addition to the information specified in paragraphs (b)(1)–(7) of this section, the PIA must also identify the choices NCPC made regarding an IT system or collection of information as result of preparing the PIA. (e) The CCB shall verify that a PIA has been prepared prior to approving a PO 00000 Frm 00018 Fmt 4701 Sfmt 9990 request to develop or procure information technology that collects, maintains, or disseminates Information in Identifiable Form. (f) The SAOP shall approve and sign the NCPC’s PIA. If the SAOP is the Contracting Officer for the IT system that necessitated preparation of the PIA, the Executive Director shall approve and sign the PIA. (g) Following approval of the PIA, the NCPC shall post the PIA document on the NCPC Web site located at www.ncpc.gov. Dated: September 14, 2017. Anne R. Schuyler, General Counsel. [FR Doc. 2017–19996 Filed 9–19–17; 8:45 am] BILLING CODE 7520–01–P E:\FR\FM\20SER2.SGM 20SER2

Agencies

[Federal Register Volume 82, Number 181 (Wednesday, September 20, 2017)]
[Rules and Regulations]
[Pages 44044-44052]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-19996]


-----------------------------------------------------------------------

NATIONAL CAPITAL PLANNING COMMISSION

1 CFR Parts 455 and 603


Privacy Act Regulations

AGENCY: National Capital Planning Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The National Capital Planning Commission (NCPC or Commission) 
hereby adopts new regulations governing NCPC's implementation of the 
Privacy Act, as amended and the privacy provisions of the E-Government 
Act of 2002. NCPC must comply with the requirements of the Privacy Act 
and the privacy provisions of the E-Government Act of 2002 for records 
maintained on individuals and personal information stored as a hard 
copy or electronically.

DATES: This rule is effective October 20, 2017.

FOR FURTHER INFORMATION CONTACT: Anne R. Schuyler, General Counsel at 
202-482-7223, anne.schuyler@ncpc.gov.

SUPPLEMENTARY INFORMATION: NCPC adopted its current Privacy Regulations 
(1 CFR part 455) in 1977 pursuant to 5 U.S.C. 552a. Since that time, 
Congress amended the Privacy Act multiple times including the E-
Government Act of 2002 which addressed requirements for maintaining 
electronic privacy records. The regulations update NCPC's existing 
Privacy Regulations to reflect amendments over time. The Office of the 
Federal Register recently assigned NCPC a new chapter of 1 CFR--Chapter 
VI--to allow NCPC to group all its regulations together in one chapter.
    NCPC eliminates its Privacy Regulations at 1 CFR part 455 and 
codifies the new Privacy Regulations at 1 CFR part 603.

I. Section by Section Analysis of NCPC's Privacy Act Regulations

    Sec.  603.1 Purpose and scope. This section advises the purpose of 
the regulations is to implement a privacy program consistent with the 
requirements of the Privacy Act and the privacy related provision of 
the E-Government Act of 2002. As stated in the section, NCPC's privacy 
program extends to all Records maintained by NCPC in a System of 
Records; the responsibilities of NCPC to safeguard this information; 
the procedures by which Individuals may request notification of the 
existence of a Record about them, access to Records about them, an 
amendment to or correction of the Records about them, and an accounting 
of disclosures of those Records by the NCPC; the procedures by which an 
Individual may appeal an Adverse Determination, and the conduct of a 
Privacy Impact Assessment.
    Sec.  603.2 Definitions. This section defines terms frequently used 
in the regulations. The section includes the five terms defined in the 
existing regulations--Individual, Maintain, Record, Routine Use and 
System of Records. It adds the definitions for the following terms: 
Adverse Determination, E-Government Act of 2002, Information in 
Identifiable Form (IIF), Information Technology, Privacy Act Officer 
(PAO), Privacy Act, Privacy Impact Assessment (PIA), Record, Requester, 
Request for Access to a Record, Request for Amendment or Correction of 
a Record, Senior Agency Official for Privacy (SAOP), System of Records 
Notice (SORN), and Workday.
    Sec.  603.3 Privacy Act program responsibilities. This section 
requires NCPC to designate a SAOP and a PAO and outlines the 
responsibilities associated with both positions. It also enumerates the 
Privacy Act responsibilities of other NCPC personnel.
    Sec.  603.4 Standards used to Maintain Records. This section 
establishes the standards NCPC must follow regarding privacy 
information. The section requires NCPC to limit private information to 
only that necessary to achieve the purposes for which it is collected 
and stored; to ensure all information collected is accurate, relevant, 
timely, and complete; and to collect privacy information regarding an 
Individual's rights, benefits and privileges under federal programs 
from the Individual to the maximum extent possible subject to 
collection from third parties in certain circumstances.
    Sec.  603.5 Notice to Individuals supplying information. This 
section enumerates the information NCPC must provide Individuals who 
are asked to supply information about themselves. The required 
information enumerated includes the purpose for which NCPC intends to 
use the information; the effects upon an Individual for not providing 
the information; and the form of notice NCPC must supply in response to 
an Individual's provision of information.
    Sec.  603.6 System of Records (SOR) Notice (SORN). This section 
requires NCPC to publish a notice in the Federal Register describing 
each SOR 40-days before establishing a new or revising an existing SOR. 
The section requires the SORN to include the purpose of the Records and 
their location; the types of Individuals contained in the SOR; the

[[Page 44045]]

authority for maintaining the SOR; the purpose or reason why NCPC 
collects the Records and their intended routine uses; the sources of 
the Records in the SOR; the policies and practices regarding storage, 
retrieval, access controls, retention, and disposal of the Records; the 
identification of the agency official responsible for the SOR; and the 
procedures for notifying an Individual who requests whether the SOR 
contains information about him/her.
    Sec.  603.7 Procedures to safeguard Records. This section describes 
the procedures utilized by NCPC to safeguard hard copy and computerized 
records subject to the Privacy Act. The section requires hard copy 
Records to be stored in a locked room subject to restricted access with 
external posted warning signs limiting access to authorized personnel 
and/or stored in a locked container with identical precautions to those 
used for a locked room. The section requires computerized Records to be 
maintained subject to the Safeguards recommended by the National 
Institute of Standards and Technology (NIST).
    Sec.  603.8 Employee conduct. This section requires employees with 
duties requiring access to and handling of Records to do so in a manner 
that protects the integrity, security and confidentiality of the 
Records. It prohibits employee disclosure of records unless authorized 
by the rules in this part, permitted by NCPC's FOIA regulations (1 CFR 
part 602), or disclosed to the Individual to whom the Record pertains. 
The section also prohibits destruction or alteration of Records unless 
required as part of an employee's regular duties, required by 
regulations published by the National Archives Record Administration 
(NARA), or required by a court of law.
    Sec.  603.9 Government contracts. This section requires contractors 
operating a System of Records on behalf of NCPC to abide by the 
requirements of the Privacy Act. It also equires a NCPC employee to 
oversee and manage the SOR operated by a contractor.
    Sec.  603.10 Conditions for disclosure. Subject to a list of 
enumerated exceptions, this section precludes disclosure of a Record 
contained in a SOR unless prior written consent is obtained from the 
Individual to whom the record pertains.
    Sec.  603.11 Accounting of disclosures. This section requires NCPC 
to prepare an accounting of disclosure when a Record is disclosed to 
any person or to another agency.
    The section requires the contents of an accounting to include the 
date, nature, and purpose of the disclosure and the name and address of 
the person or agency to whom the disclosure was made. The section also 
requires Accountings of disclosures to be made available to the 
Individual about whom the disclosed Record pertains except under 
limited circumstances. It further requires changes to disclosed Records 
to be shared with the person or agency to whom the Record was 
originally disclosed.
    Sec.  603.12 Requests for notification of the existence of Records. 
This section advises Individuals how to determine whether a System of 
Records maintained by NCPC contains Records pertaining to them. It 
requires Individuals either to contact NCPC in writing or appear at 
NCPC's offices by appointment to make the subject request. The section 
requires the NCPC PAO to respond to a request in writing within 20 
Workdays, to include in the response the Reason(s) for the PAO's 
determination, and to advise the requester of the right to appeal the 
decision.
    Sec.  603.13 Request for access to Records. This section advises 
Individuals how to access NCPC records about themselves. It requires 
Individuals to request the right to access Records either in writing or 
to appear at NCPC's offices by appointment. The section enumerates the 
information required to be included in a request, and obligates 
Individuals to present certain specified identification to access the 
requested Records. The section also requires the NCPC PAO to respond to 
a request for access in writing within 20 Workdays, to state in the 
response the reason for the PAO's determination, and to advise the 
Requester of the right to appeal an Adverse Determination.
    Sec.  603.14 Requests for amendment or correction of Records. This 
section outlines the process Individuals must follow to amend or 
correct Records about them that they believe are inaccurate, 
irrelevant, untimely or incomplete. The section requires a request for 
amendment or correction to be in writing, include certain specified 
information, and to be made only if the Individual has previously 
requested and been granted access to the Record. The section also 
requires the NCPC PAO to respond to a request for amendment or 
correction in writing within 20 Workdays, to state the reason for the 
PAO's determination in the response, to advise the requester of the 
right to appeal an Adverse Determination, to ensure the Record is 
amended or corrected in whole or in part if the PAO approves the 
request, and to place a notation of a dispute on the Record if the 
request is denied.
    Sec.  603.15 Requests for an accounting of Records disclosures. 
This section outlines the process Individuals must follow to obtain 
information about disclosures of Records pertaining to them. It 
requires a request for information about Records disclosed to include 
certain specified information. The section also requires the NCPC PAO 
to respond to a request for information about disclosures in writing 
within 20 Workdays, to include, in the event of a disclosure, the date, 
nature and purpose of the disclosure, the name and address of the 
person or agency to whom the disclosure was made. The section further 
requires the PAO to state the reason for his/her determination and to 
advise the requester of the right to appeal an Adverse Determination.
    Sec.  602.16 Appeals of Adverse Determinations. This section 
describes the process Individuals must follow to appeal an Adverse 
Determination. As defined in the definition section of the regulations 
Adverse Determination means a decision to withhold any requested Record 
in whole or in part; a decision that the requested Record does not 
exist or cannot be located; a decision that the requested information 
is not a Record subject to the Privacy Act; a decision that a Record, 
or part thereof, does not require amendment or correction; a decision 
to refuse to disclose an accounting of disclosure; and a decision to 
deny a fee waiver. The term also encompasses a challenge to NCPC's 
determination that Records have not been described adequately, that 
there are no responsive Records, or that an adequate search has been 
conducted. The section requires an Individual to submit a written 
appeal to the Chairman of the Commission stating the legal, factual or 
other basis for the Appeal, and it requires the Chairman to provide a 
written response within 30 Workdays. The section also requires NCPC to 
take prompt action to respond affirmatively to the Individual's 
original request if the Chairman grants the request and to state the 
reasons for a denial and the right to appeal the denial to a court of 
competent jurisdiction.
    Sec.  603.17 Fees. This section states the fees to be charged for 
the search for and duplication of Records. It advises fees for 
duplication shall be those established by NCPC's FOIA Regulations, and 
it states there are no fees for the search or review of Records 
requested by an Individual.
    Sec.  603.18 Privacy Impact Assessments. This section states when 
NCPC must conduct a Privacy Impact Assessment (PIA), the contents of a 
PIA, and the process for approving the PIA. The section requires a PIA 
to be

[[Page 44046]]

conducted before developing or procuring an IT system that collects, 
maintains or disseminates Information that identifies an Individual 
(IIF or Information in Identifiable Form) or when NCPC installs a new 
collection of IIF for 10 or more persons other than employees, or 
agencies of the federal government. The section also requires a PIA to 
analyze a number of factors related to the collection, use, owner, 
storage and manner of securing the IIF, and it requires the PIA to be 
approved and posted on NCPC's Web site prior to undertaking the action 
that required the PIA.

II. Summary of and Response to Comments

    NCPC published a proposed rule addressing revisions to its current 
Privacy Act Regulations in the Federal Register on August 1, 2017 for a 
30-day public comment period. The public comment period closed on 
August 31, 2017.
    NCPC received no comments on its proposed Privacy Act Regulations. 
Consequently, the proposed Privacy Act Regulations are now being 
advertised as the final Privacy Act Regulations.

III. Compliance With Laws and Executive Orders

Executive Orders 12866 and 13563

    By Memorandum dated October 12, 1993 from Sally Katzen, 
Administrator, Office of Information and Regulatory Affairs (OIRA) to 
Heads of Executive Departments and Agencies, and Independent Agencies, 
OMB rendered the NCPC exempt from the requirements of Executive Order 
12866 (See, Appendix A of cited Memorandum). Nonetheless, NCPC 
endeavors to adhere to the provisions of Executive Orders and developed 
this rule in a manner consistent with the requirements of Executive 
Order 13563.

Executive Order 13771

    By virtue of its exemption from the requirements of EO 12866, NCPC 
is exempted from this Executive Order. NCPC confirmed this fact with 
OIRA.

Regulatory Flexibility Act

    As required by the Regulatory Flexibility Act (5 U.S.C. 601 et 
seq.), the NCPC certifies that the rule will not have a significant 
economic effect on a substantial number of small entities.

Small Business Regulatory Enforcement Fairness Act

    This is not a major rule under 5 U.S.C. 804(2), the Small Business 
Regulatory Enforcement Fairness Act. It does not have an annual effect 
on the economy of $100 million or more; will not cause a major increase 
in costs for individuals, various levels of governments or various 
regions; and does not have a significant adverse effect on completion, 
employment, investment, productivity, innovation or the competitiveness 
of US enterprises with foreign enterprises.

Unfunded Mandates Reform Act (2 U.S.C. 1531 et seq.)

    A statement regarding the Unfunded Mandates Reform Act is not 
required. The rule neither imposes an unfunded mandate of more than 
$100 million per year nor imposes a significant or unique effect on 
State, local or tribal governments or the private sector.

Federalism (Executive Order 13132)

    In accordance with Executive Order 13132, the rule does not have 
sufficient federalism implications to warrant the preparation of a 
Federalism Assessment. The rule does not substantially and directly 
affect the relationship between the Federal and state governments.

Civil Justice Reform (Executive Order 12988)

    The General Counsel of NCPC has determined that the rule does not 
unduly burden the judicial system and meets the requirements of 
Executive Order 12988 3(a) and 3(b)(2).

Paperwork Reduction Act

    The rule does not contain information collection requirements, and 
it does not require a submission to the Office of Management and Budget 
under the Paperwork Reduction Act.

9. National Environmental Policy Act

    The rule is of an administrative nature, and its adoption does not 
constitute a major federal action significantly affecting the quality 
of the human environment. NCPC's adoption of the rule will have minimal 
or no effect on the environment; impose no significant change to 
existing environmental conditions; and will have no cumulative 
environmental impacts.

10. Clarity of the Regulation

    Executive Order 12866, Executive Order 12988, and the Presidential 
Memorandum of June 1, 1998 requires the NCPC to write all rules in 
plain language. NCPC maintains the rule meets this requirement. Those 
individuals reviewing the rule who believe otherwise should submit 
specific comments to the addresses noted above recommending revised 
language for those provision or portions thereof where they believe 
compliance is lacking.

11. Public Availability of Comments

    Be advised that personal information such as name, address, phone 
number, electronic address, or other identifying personal information 
contained in a comment may be made publically available. Individuals 
may ask NCPC to withhold the personal information in their comment, but 
there is no guarantee the agency can do so.

List of Subjects in 1 CFR Parts 455 and 603 Privacy

    For the reasons stated in the preamble, the National Capital 
Planning Commission amends 1 CFR Chapters IV and VI as follows:

CHAPTER IV--MISCELLANEOUS AGENCIES

PART 455--[Removed]

0
1. Under the authority of 40 U.S.C. 8711(a) remove part 455.

CHAPTER VI--NATIONAL CAPITAL PLANNING COMMISSION

0
2. Add part 603 to read as follows:

PART 603--PRIVACY ACT REGULATIONS

Sec.
603.1 Purpose and scope.
603.2 Definitions.
603.3 Privacy Act program responsibilities.
603.4 Standard used to Maintain Records.
603.5 Notice to Individuals supplying information.
603.6 System of Records Notice or SORN.
603.7 Procedures to safeguard Records.
603.8 Employee conduct.
603.9 Government contracts.
603.10 Conditions of disclosure.
603.11 Accounting for disclosures.
603.12 Requests for notification of the existence of Records.
603.13 Requests for access to Records.
603.14 Requests for Amendment or Correction of Records.
603.15 Requests for Accounting of Record disclosures.
603.16 Appeals of Adverse Determinations.
603.17 Fees.
603.18 Privacy Impact Assessments.

    Authority: 5 U.S.C. 552a as amended and 44 U.S.C. ch. 36.


Sec.  603.1  Purpose and scope.

    (a) This part contain the rules the National Capital Planning 
Commission (NCPC) shall follow to implement a privacy program as 
required by the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act or Act) 
and the privacy provisions of the E-Government Act of 2002 (44 U.S.C. 
ch. 36) (E-Government Act). These rules should be read together with 
the Privacy Act and the

[[Page 44047]]

privacy related provisions of the E-Government Act, which provide 
additional information respectively about Records maintained on 
individuals and protections for the privacy of personal information as 
agencies implement citizen-centered electronic Government.
    (b) Consistent with the requirements of the Privacy Act, the rules 
in this part apply to all Records maintained by NCPC in a System of 
Records; the responsibilities of the NCPC to safeguard this 
information; the procedures by which Individuals may request 
notification of the existence of a record, request access to Records 
about themselves, request an amendment to or correction of those 
Records, and request an accounting of disclosures of those Records by 
the NCPC; and the procedures by which an Individual may appeal an 
Adverse Determination.
    (c) Consistent with the privacy related requirements of the E-
Government Act, the rules in this part also address the conduct of a 
privacy impact assessment prior to developing or procuring information 
technology that collects, maintains, or disseminates information in an 
identifiable form, initiating a new electronic collection of 
information in identifiable form for 10 or more persons excluding 
agencies, instrumentalities or employees of the federal government, or 
changing an existing System that creates new privacy risks.
    (d) In addition to the rules in this part, the NCPC shall process 
all Privacy Act Requests for Access to Records in accordance with the 
Freedom of Information Act (FOIA), 5 U.S.C. 552, and part 602 of this 
chapter.


Sec.  603.2  Definitions.

    For purposes of this part, the following definitions shall apply:
    Adverse Determination shall mean a decision to withhold any 
requested Record in whole or in part; a decision that the requested 
Record does not exist or cannot be located; a decision that the 
requested information is not a Record subject to the Privacy Act; a 
decision that a Record, or part thereof, does not require amendment or 
correction; a decision to refuse to disclose an accounting of 
disclosure; and a decision to deny a fee waiver. The term shall also 
encompass a challenge to NCPC's determination that Records have not 
been described adequately, that there are no responsive Records or that 
an adequate search has been conducted.
    E-Government Act of 2002 shall mean Public Law 107-347, Dec. 17, 
2002, 116 Stat. 2899, the privacy portions of which are set out as a 
note under section 3501 of title 44.
    Individual shall mean a citizen of the United States or an alien 
lawfully admitted for permanent residence.
    Information in Identifiable Form (IIF) shall mean information in an 
Information Technology system or an online collection that directly 
identifies an individual, e.g., name, address, social security number 
or other identifying number or code, telephone number, email address 
and the like; or information by which the NCPC intends to identify 
specific individuals in conjunction with other data elements, e.g., 
indirect identification that may include a combination of gender, race, 
birth date, geographic identifiers, and other descriptions.
    Information Technology (IT) shall mean, as defined in the Clinger 
Cohen Act (40 U.S.C. 11101(6)), any equipment, software or 
interconnected system or subsystem that is used in the automatic 
acquisition, storage, manipulation, management, movement, control, 
display, switching, interchange, transmission or reception of data.
    Maintain shall include maintain, collect, use or disseminate a 
Record.
    Privacy Act Officer shall mean the individual within the NCPC 
charged with responsibility for coordinating and implementing NCPC's 
Privacy Act program.
    Privacy Act or Act shall mean the Privacy Act of 1974, as amended 
and codified at 5 U.S.C. 552a.
    Privacy Impact Assessment (PIA) shall mean an analysis of how 
information is handled to ensure handling conforms to applicable legal, 
regulatory, and policy requirements regarding privacy; to determine the 
risks and effects of collecting, maintaining and disseminating 
information in identifiable form in an electronic system; and to 
examine and evaluate protections and alternative processes for handling 
information to mitigate potential privacy risks.
    Record shall mean any item, collection, or grouping of information 
about an Individual that is Maintained by the NCPC, including, but not 
limited to, an Individual's education, financial transactions, medical 
history, and criminal or employment history and that contains a name, 
or identifying number, symbol, or other identifying particular assigned 
to the Individual, such as a finger or voice print or photograph.
    Requester shall mean an Individual who makes a Request for Access 
to a Record, a Request for Amendment or Correction of a Record, or a 
Request for Accounting of a Record under the Privacy Act.
    Request for Access to a Record shall mean a request by an 
Individual made to the NCPC pursuant to subsection (d)(1) of the 
Privacy Act to gain access to his/her Records or to any information 
pertaining to him/her in the system and to permit him/her, or a person 
of his/her choosing, to review and copy all or any portion thereof.
    Request for Amendment or Correction of a Record shall mean a 
request made by an Individual to the NCPC pursuant to subsection (d)(2) 
of the Privacy Act to amend or correct a Record pertaining to him/her.
    Routine Use shall mean with respect to disclosure of a Record, the 
use of such Record for a purpose which is compatible with the purpose 
for which the Record is collected.
    Senior Agency Official for Privacy (SAOP) shall mean the individual 
within NCPC responsible for establishing and overseeing the NCPC's 
Privacy Act program.
    System of Records or System (SOR or Systems) shall mean a group of 
any Records under the control of the NCPC from which information is 
retrieved by the name of the individual or by some identifying number, 
symbol, or other identifying particular assigned to the individual.
    System of Record Notice (SORN) shall mean a notice published in the 
Federal Register by the NCPC for each new or revised System of Records 
intended to solicit public comment on the System prior to 
implementation.
    Workday shall mean a regular Federal workday excluding Saturday, 
Sunday and legal Federal holidays when the federal government is 
closed.


Sec.  603.3  Privacy Act program responsibilities.

    (a) The NCPC shall designate a Senior Agency Official for Privacy 
(SAOP) to establish and oversee the NCPC's Privacy Act Program and 
ensure compliance with privacy laws, regulations and the NCPC's privacy 
policies. Specific responsibilities of the SAOP shall include:
    (1) Reporting to the Office of Management and Budget (OMB) and 
Congress on the establishment of or revision to Privacy Act Systems;
    (2) Reporting periodically to OMB on Privacy Act activities as 
required by law and OMB;
    (3) Signing Privacy Act SORNS for publication in the Federal 
Register;
    (4) Approving and signing PIAs; and
    (5) Serving as head of the agency response team when responding to 
a large-scale information breach.
    (b) The NCPC shall designate a Privacy Act Officer (PAO) to 
coordinate

[[Page 44048]]

and implement the NCPC's Privacy Act program. Specific responsibilities 
of the PAO shall include:
    (1) Developing, issuing and updating, as necessary, the NCPC's 
Privacy Act policies, standards, and procedures;
    (2) Maintaining Privacy Act program Records and documentation;
    (3) Responding to Privacy Act Requests for Records and coordinating 
appeals of Adverse Determinations for Requests for access to Records, 
Requests for Amendment or Correction of Records, and Requests for 
accounting for disclosures;
    (4) Informing Individuals of information disclosures;
    (5) Working with the NCPC's Division Directors or designated staff 
to develop an appropriate form for collection of Privacy Act 
information and including in the form a Privacy Act statement 
explaining the purpose for collecting the information, how it will be 
used, the authority for such collection, its routine uses, and the 
effect upon the Individual of not providing the requested information;
    (6) Assisting in the development of new or revised SORNs;
    (7) Developing SORN reports for OMB and Congress;
    (8) Submitting new or revised SORNS to the Federal Register for 
publication;
    (9) Assisting in the development of computer matching systems;
    (10) Preparing Privacy Act, Computer Matching, and other reports to 
OMB as required; and
    (11) Evaluating PIA to ensure compliance with E-Government Act 
requirements.
    (c) Other Privacy related responsibilities shall be shared by the 
NCPC Division Directors, the NCPC Chief Information Officer (CIO), the 
NCPC System Developers and Designers, the NCPC Configuration Control 
Board, the NCPC employees, and the Chairman of the Commission.
    (1) The NCPC Division Directors shall be responsible for 
coordinating with the PAO the implementation of the requirements set 
forth in this part for Systems of Records applicable to their area of 
management and the preparation of PIA prior to development or 
procurement of new systems that collect, maintain or disseminate IIF. 
Specific responsibilities include:
    (i) Reviewing existing SOR for need, relevance, and purpose for 
existence, and proposing SOR changes to the PAO as necessary in 
response to altered circumstances;
    (ii) Reviewing existing SOR to ensure information is accurate, 
complete and up to date;
    (iii) Coordinating with the PAO the preparation of new or revised 
SORN;
    (iv) Coordinating with the PAO the development of an appropriate 
form for collection of Privacy Act information and including in the 
form a Privacy Act statement explaining the purpose for collecting the 
information, how it will be used, the authority for such collection, 
its routine uses, and the effect upon the Individual of not providing 
the requested information;
    (v) Collecting information directly from individuals whenever 
possible;
    (vii) Assisting the PAO with providing access to Individuals who 
request information in accordance with the procedures established in 
Sec. Sec.  603.12, 603.13, 603.14 and 603.15.
    (vii) Amending Records if and when appropriate, and working with 
the PAO to inform recipients of former Records of such amendments;
    (viii) Ensuring that System information is used only for its stated 
purpose;
    (ix) Establishing and overseeing appropriate administrative, 
technical, and physical safeguards to ensure security and 
confidentiality of Records; and
    (x) Working with the SAOP, the PAO and Configuration Control Board 
(CCB) on SORs, preparing a PIA, if needed, and obtaining SAOP approval 
for a PIA prior to its publication on the NCPC Web site.
    (2) The CIO shall be responsible for implementing IT security 
management to include security for information protected by the Privacy 
Act and the E-Government Act of 2002. Specific responsibilities 
include:
    (i) Overseeing security policy for privacy data; and
    (ii) Reviewing PIAs prepared for information security 
considerations.
    (3) The NCPC System Developers and Designers shall be responsible 
for ensuring that the IT system design and specifications conform to 
privacy standards and requirements and that technical controls are in 
place for safeguarding personal information from unauthorized access.
    (4) The NCPC CCB shall, among other responsibilities, verify that a 
PIA has been prepared prior to approving a request to develop or 
procure information technology that collects, maintains, or 
disseminates Information in Identifiable Form.
    (5) The NCPC employees shall ensure that any personal information 
they use in the conduct of their official responsibilities is protected 
in accordance with the rules set forth in this part.
    (6) The Chairman of the Commission shall be responsible for acting 
on all appeals of Adverse Determinations.


Sec.  603.4  Standards used to Maintain Records.

    (a) Records Maintained by the NCPC shall contain only such 
information about an Individual as is relevant and necessary to 
accomplish a purpose NCPC must accomplish to comply with relevant 
statutes or Executive Orders of the President.
    (b) Records Maintained by the NCPC and used to make a determination 
about an Individual shall be accurate, relevant, timely, and complete 
to assure a fair determination.
    (c) Information used by the NCPC in making a determination about an 
Individual's rights, benefits, and privileges under federal programs 
shall be collected, to the greatest extent practicable, directly from 
the Individual. In deciding whether collection of information about an 
Individual, as opposed to a third party is practicable, the NCPC shall 
consider the following:
    (1) Whether the information sought can only be obtained from a 
third party;
    (2) Whether the cost to collect the information from an Individual 
is unreasonable compared to the cost of collecting the information from 
a third party;
    (3) Whether there is a risk of collecting inaccurate information 
from a third party that could result in a determination adverse to the 
Individual concerned;
    (4) Whether the information collected from an Individual requires 
verification by a third party; and
    (5) Whether the Individual can verify information collected from 
third parties.
    (d) The NCPC shall not Maintain Records describing how an 
Individual exercises rights guaranteed by the First Amendment to the 
Constitution unless the maintenance of the Record is expressly 
authorized by statute or by the Individual about whom the Record is 
Maintained or pertinent to and within the scope of an authorized law 
enforcement activity.


Sec.  603.5  Notice to Individuals supplying information.

    (a) Each Individual asked to supply information about himself/
herself to be added to a System of Records shall be informed by the 
NCPC of the basis for requesting the information, its potential use, 
and the consequences, if any, of not supplying the information. Notice 
to the Individual shall state at a minimum:
    (1) The legal authority for NCPC's solicitation of the information 
and whether disclosure is mandatory or voluntary;
    (2) The principal purpose(s) for which the NCPC intends to use the 
information;

[[Page 44049]]

    (3) The potential routine uses of the information by the NCPC as 
published in a Systems of Records Notice; and
    (4) The effects upon the individual, if any, of not providing all 
or any part of the requested Information to the NCPC.
    (b) When NCPC collects information on a standard form, the notice 
to the Individual shall either be provided on the form, on a tear off 
sheet attached to the form, or on a separate form, whichever is deemed 
the most practical by the NCPC.
    (c) NCPC may ask an Individual to acknowledge, in writing, receipt 
of the notice required by this section.


Sec.  603.6  System of Records Notice or SORN.

    (a) The NCPC shall publish a notice in the Federal Register 
describing each System of Records 40-days prior to the establishment of 
a new or revision to an existing System of Records.
    (b) The SORN shall include:
    (1) The name and location of the System of Records. The name shall 
identify the general purpose, and the location shall include whether 
the system is located on the NCPC's main server or central files. The 
physical address of either shall also be included.
    (2) The categories or types of Individuals on whom NCPC Maintains 
Records in the System of Records;
    (3) The categories or types of Records in the System;
    (4) The statutory or Executive Order authority for Maintenance of 
the System;
    (5) The purpose(s) or explanation of why the NCPC collects the 
particular Records including identification of all internal and routine 
uses;
    (6) The policies and practices of the NCPC regarding storage, 
retrieval, access controls, retention and disposal of Records;
    (7) The title and business address of the agency official 
responsible for the identified System of Records;
    (8) The NCPC procedures for notification to an Individual who 
requests if a System of Records contains a Record about the Individual; 
and
    (9) The NCPC sources of Records in the System.


Sec.  603.7  Procedures to safeguard Records.

    (a) The NCPC shall implement the procedures set forth in this 
section to insure sufficient administrative, technical and physical 
safeguards exist to protect the security and confidentiality of 
Records. The enumerated procedures shall also protect against any 
anticipated threats or hazards to the security of Records with the 
potential to cause substantial harm, embarrassment, inconvenience, or 
unfairness to any Individual on whom information is Maintained.
    (b) Manual Records subject to the Privacy Act shall be maintained 
by the NCPC in a manner commensurate with the sensitivity of the 
information contained in the Records. The following minimum safeguards 
or safeguards affording comparable protection shall apply to manual 
Systems of Records:
    (1) The NCPC shall post areas where Records are maintained or 
regularly used with an appropriate warning sign stating access to the 
Records shall be limited to authorized persons. The warning shall also 
advise that the Privacy Act prescribes criminal penalties for 
unauthorized disclosure of Records subject to the Act.
    (2) During work hours, the NCPC shall protect areas in which 
Records are Maintained or regularly used by restricting occupancy of 
the area to authorized persons or storing the Records in a locked 
container and room.
    (3) During non-working hours, access to Records shall be restricted 
by their storage in a locked storage container and room.
    (4) Any lock used to secure a room where Records are stored shall 
not be capable of being disengaged with a master key that opens rooms 
other than those in which Records are stored.
    (c) Computerized Records subject to the Privacy Act shall be 
maintained, at a minimum, subject to the safeguards recommended by the 
National Institute of Standards and Technology (NIST) Special 
Publications 800-53, Recommended Security Controls for Federal 
Information Systems and Organizations as revised from time to time or 
any superseding guidance offered by NIST or other federal agency 
charged with the responsibility for providing recommended safeguards 
for computerized Records subject to the Privacy Act.
    (d) NCPC shall maintain a System of Records comprised of Office of 
Personnel Management (OPM) personnel Records in accordance with 
standards prescribed by OPM and published at 5 CFR 293.106-293.107.


Sec.  603.8  Employee conduct.

    (a) Employees with duties requiring access to and handling of 
Records shall, at all times, take care to protect the integrity, 
security, and confidentiality of the Records.
    (b) No employee of the NCPC shall disclose Records unless 
disclosure is permitted by Sec.  603.10(b), by part 602 of this 
chapter, or disclosed to the Individual to whom the Record pertains.
    (c) No employee of the NCPC shall alter or destroy a Record unless 
such Record or destruction is undertaken in the course of the 
employee's regular duties or such alteration or destruction is allowed 
pursuant to regulations published by the National Archives and Records 
Administration (NARA) or required by a court of competent jurisdiction. 
Records shall not be destroyed or disposed of while they are the 
subject of a pending request, appeal or lawsuit under the Privacy Act.


Sec.  603.9  Government contracts.

    (a) When a contract provides for third party operation of a SOR on 
behalf of the NCPC to accomplish a NCPC function, the contract shall 
require that the requirements of the Privacy Act and the rules in this 
part be applied to such System.
    (b) The Division Director responsible for the contract shall 
designate a NCPC employee to oversee and manage the SOR operated by the 
contractor.


Sec.  603.10  Conditions for disclosure.

    (a) Except as set forth in paragraph (b) of this section, no Record 
contained in a SOR shall be disclosed by any means of communication to 
any person, or to another agency, unless prior written consent is 
obtained from the Individual to whom the Record pertains.
    (b) The limitations on disclosure contained in paragraph (a) of 
this section shall not apply when disclosure of a Record is:
    (1) To employees of the NCPC for use in the performance of their 
duties;
    (2) Required by the Freedom of Information Act (FOIA), 5 U.S.C. 
555;
    (3) For a Routine Use as described in a SORN;
    (4) To the Bureau of Census for statistical purposes, provided that 
the Record must be transferred in a form that precludes individual 
identification;
    (5) To an Individual who provides NCPC adequate written assurance 
that the Record shall be used solely for statistical or research 
purposes, provided that the Record must be transferred in a form that 
precludes Individual identification;
    (6) To the NARA because the Record warrants permanent retention 
because of historical or other national value as determined by NARA or 
to permit NARA to determine whether the Record has such value;
    (7) To a law enforcement agency for a civil or criminal law 
enforcement activity, provided that the law enforcement agency must 
submit a written request to the NCPC specifying the Record(s) sought 
and the purpose for which they will be used;

[[Page 44050]]

    (8) To any person upon demonstration of compelling information that 
an Individual's health or safety is at stake and provided that upon 
disclosure, notification is given to the Individual to whom the Record 
pertains at that Individual's last known address;
    (9) To either House of Congress, and any committee or subcommittee 
thereof, to include joint committees of both houses and any 
subcommittees thereof, when a Record falls within their jurisdiction;
    (10) To the Comptroller General, or any of his authorized 
representatives, to allow the Government Accountability Office to 
perform its duties;
    (11) Pursuant to a court order by a court of competent 
jurisdiction; and
    (12) To a consumer reporting agency trying to collect a claim of 
the government as authorized by 31 U.S.C. 3711(e).


Sec.  603.11  Accounting of disclosures.

    (a) Except for disclosures made under Sec. Sec.  603.10(b)(1)-(2), 
when a Record is disclosed to any person, or to another agency, NCPC 
shall prepare an accounting of the disclosure. The accounting shall 
Record the date, nature, and purpose of the disclosure and the name and 
address of the person or agency to whom the disclosure was made. The 
NCPC shall maintain all accountings for a minimum of five years or the 
life of the Record, whichever is greatest, after the disclosure is 
made.
    (b) Except for disclosures under Sec.  603.10(b)(7), accountings of 
all disclosures shall be made available to the Individual about whom 
the disclosed Records pertains at his/her request. Such request shall 
be made in accordance with the requirements of Sec.  603.15.
    (c) For any disclosure for which an accounting is made, if a 
subsequent amendment or correction or notation of dispute is made to a 
Record by the NCPC in accordance with the requirements of Sec.  603.14, 
the Individual and/or agency to whom the Record was originally 
disclosed shall be informed.


Sec.  603.12  Requests for notification of the existence of Records.

    (a) An Individual seeking to determine whether a System of Records 
contains Records pertaining to him/her shall do so by appearing in 
person at NCPC's official place of business or by written 
correspondence to the NCPC PAO. In-person requests shall be by 
appointment only with the PAO on a Workday during regular office hours. 
Written requests sent via the U.S. mail shall be directed to the 
Privacy Act Officer at NCPC's official address listed at www.ncpc.gov. 
If sent via email or facsimile, the request shall be directed to the 
email address or facsimile number indicated on the NCPC Web site. To 
expedite internal handling of Privacy Act Requests, the words Privacy 
Act Request shall appear prominently on the envelop or the subject line 
of an email or facsimile cover sheet.
    (b) The Request shall state that the Individual is seeking 
information concerning the existence of Records about himself/herself 
and shall supply information describing the System where such Records 
might be maintained as set forth in a System of Record Notice.
    (c) The NCPC PAO shall notify the Requester in writing within 20 
Workdays of the Request whether a System contains Records pertaining to 
him/her unless the Records were compiled in reasonable anticipation of 
a civil action or proceeding or the Records are NCPC employee Records 
under the jurisdiction of the OPM. In both of the later cases the 
Request shall be denied. If the Request is denied because the Record(s) 
is/are under the jurisdiction of the OPM, the response shall advise the 
Requester to contact OPM. If the PAO denies the Request, the response 
shall state the reason for the denial and advise the Requester of the 
right to appeal the decision within 60 days of the date of the letter 
denying the request in accordance with the requirements set forth in 
Sec.  603.16.


Sec.  603.13  Requests for access to Records.

    (a) An Individual seeking access to Records about himself/herself 
shall do so by appearing in person at NCPC's official place of business 
or by written correspondence to the NCPC Privacy Act Officer. In-person 
requests shall be by appointment only with the Privacy Act Officer on a 
Workday during regular office hours. For written requests sent via the 
U.S. mail, the Request shall be directed to the Privacy Act Officer at 
NCPC's official address listed at www.ncpc.gov. If sent via email or 
facsimile, the request shall be directed to the email address or 
facsimile number indicated on the NCPC Web site. To expedite internal 
handling of Privacy Act Requests, the words Privacy Act Request shall 
appear prominently on the envelop or the subject line of an email or 
facsimile cover sheet.
    (b) The Request shall:
    (1) State the Request is made pursuant to the Privacy Act;
    (2) Describe the requested Records in sufficient detail to enable 
their location including, without limitation, the dates the Records 
were compiled and the name or identifying number of each System of 
Record in which they are kept as identified in the list of NCPC's SORNs 
published on its Web site; and
    (3) State pursuant to the fee schedule in set forth in Sec.  603.17 
a willingness to pay all fees associated with the Privacy Act Request 
or the maximum fee the Requester is willing to pay.
    (c) The NCPC shall require identification as follows before 
releasing Records to an Individual:
    (1) An Individual Requesting Privacy Act Records in person shall 
present a valid, photographic form of identification such as a driver's 
license, employee identification card, or passport that renders it 
possible for the PAO to verify that the Individual is the same 
Individual as contained in the requested Records.
    (2) An Individual Requesting Privacy Act Records by mail shall 
state their full name, address and date of birth in their 
correspondence. The Request must be signed and the signature must 
either be notarized or submitted with a statement signed and dated as 
follows: I declare under penalty of perjury that the foregoing facts 
establishing my identification are true and correct.
    (d) The PAO shall determine within 20 Workdays whether to grant or 
deny an Individual's Request for Access to the requested Record(s) and 
notify the Individual in writing accordingly. The PAO's response shall 
state his/her determination and the reasons therefor. If the Request is 
denied because the Record(s) is/are under the jurisdiction of the OPM, 
the response shall advise the Requester to contact OPM. In the case of 
an Adverse Determination, the written notification shall advise the 
Individual of his/her right to appeal the Adverse Determination in 
accordance with the requirements of Sec.  603.16.


Sec.  603.14  Requests for Amendment or Correction of Records.

    (a) An Individual seeking to amend or correct a Record pertaining 
to him/her that he/she believes to be inaccurate, irrelevant, untimely 
or incomplete shall submit a written request to the PAO at the address 
listed on NCPC's official Web site www.ncpc.gov. If sent via email or 
facsimile, the Request shall be directed to the email address or 
facsimile number indicated on the NCPC Web site. To expedite internal 
handling, the words Privacy Act Request shall appear prominently on the 
envelop or the subject line of an email or facsimile cover sheet.
    (b) The Request shall:
    (1) State the Request is made pursuant to the Privacy Act;
    (2) Describe the requested Record in sufficient detail to enable 
its location

[[Page 44051]]

including, without limitation, the dates the Records was compiled and 
the name or identifying number of the System of Record in which the 
Record is kept as identified in the list of NCPC's SORNs published on 
its Web site;
    (3) State in detail the reasons why the Record, or objectionable 
portion(s) thereof, is/are not accurate, relevant, timely or complete.
    (4) Include copies of documents or evidence relied upon in support 
of the Request for Amendment or Correction; and
    (5) State specifically, and in detail, the changes sought to the 
Record, and if the changes include rewriting the Record, or portions 
thereof, or adding new language, the Individual shall propose specific 
language to implement the requested changes.
    (c) A request to Amend or Correct a Record shall be submitted only 
if the Requester has previously requested and been granted access to 
the Record and has inspected or been given a copy of the Record.
    (d) The PAO shall render a decision within 20 Workdays. If the 
Request for an Amendment or Correction fails to meet the requirements 
of paragraphs (b)(1)-(5) of this section, the PAO shall advise the 
Individual of the deficiency and advise what additional information is 
required to act upon the Request. The timeframe for a decision on the 
Request shall be tolled (stopped) during the pendency of a request for 
additional information and shall resume when the additional information 
is received. If the Requester fails to submit the requested additional 
information within a reasonable time, the PAO shall reject the Request.
    (e) The PAO's decision on a Request for Amendment or Correction 
shall be in writing and state the basis for the decision. If the 
Request is denied because the Record(s) is/are under the jurisdiction 
of the OPM, the response shall advise the Requester to contact OPM. In 
the event of an Adverse Determination, the written notification shall 
advise the Individual of his/her right to appeal the Adverse 
Determination in accordance with the requirements of Sec.  603.16.
    (f) If the PAO approves the Request for Amendment or Correction, 
the PAO shall ensure that subject Record is amended or corrected, in 
whole or in part. If the PAO denies the Request for Amendment or 
Correction, a notation of dispute shall be noted on the Record. If an 
accounting of disclosure has been made pursuant to Sec.  603.11, the 
PAO shall advise all previous recipients of the Record that an 
amendment or correction or notation of dispute has been made and, if 
applicable, the substance of the change.


Sec.  603.15  Requests for Accounting of Record disclosures.

    (a) An Individual seeking information regarding an accounting of 
disclosure of a Record pertaining to him/her made in accordance with 
Sec.  603.11 shall submit a written request to the PAO at the address 
listed on NCPC's official Web site www.ncpc.gov. If sent via email or 
facsimile, the Request shall be directed to the email address or 
facsimile number indicated on the NCPC Web site. To expedite internal 
handling, the words Privacy Act Request shall appear prominently on the 
envelop or the subject line of an email or facsimile cover sheet.
    (b) The Request shall:
    (1) State the Request is made pursuant to the Privacy Act; and
    (2) Describe the requested Record in sufficient detail to determine 
whether it is or is not contained in an accounting of disclosure.
    (c) The NCPC PAO shall notify the Requester in writing within 20 
Workdays of the Request and advise if the Record was included in an 
accounting of disclosure. In the event of a disclosure, the response 
shall include the date, nature, and purpose of the disclosure and the 
name and address of the person or agency to whom the disclosure was 
made. If the Request is denied because the Record(s) is/are under the 
jurisdiction of the OPM, the response shall advise the Requester to 
contact OPM. In the event of an Adverse Determination, the written 
notification shall advise the Individual of his/her right to appeal the 
Adverse Determination in accordance with the requirements of Sec.  
603.16.


Sec.  603.16  Appeals of Adverse Determinations.

    (a) Except for appeals pursuant to paragraph (d) of this section, 
an appeal of an Adverse Determination shall be made in writing 
addressed to the Chairman (Chairman) of the National Capital Planning 
Commission at the address listed on NCPC's official Web site 
www.ncpc.gov. If sent via email or facsimile, the Request shall be 
directed to the email address or facsimile number indicated on the NCPC 
Web site. To expedite internal handling, the words Privacy Act Request 
shall appear prominently on the envelop or the subject line of an email 
or facsimile cover sheet. An appeal of an Adverse Determination shall 
be made within 30 Workdays of the date of the decision.
    (b) An appeal of an Adverse Determination shall include a statement 
of the legal, factual or other basis for the Requester's objection to 
an Adverse Determination; a daytime phone number or email where the 
Requester can be reached if the Chairman requires additional 
information or clarification regarding the appeal; copies of the 
initial request and the PAO's written response; and for an Adverse 
Determination regarding a fee waiver, a demonstration of compliance 
with part 602 of this chapter.
    (c) The Chairman shall respond to an appeal of an Adverse 
Determination in writing within 20 Workdays of receipt of the appeal. 
If the Chairman grants the appeal, the Chairman shall notify the 
Requester, and the NCPC shall take prompt action to respond 
affirmatively to the original Request upon receipt of any fees that may 
be required. If the Chairman denies the appeal, the letter shall state 
the reason(s) for the denial, a statement that the decision is final, 
and advise the Requester of the right to seek judicial review of the 
denial in the District Court of the United States in either the 
district in which the Requester resides, the district in which the 
Requester has his/her principal place of business or the District of 
Columbia.
    (d) The appeal of an Adverse Determination based on OPM 
jurisdiction of the Records shall be made to OPM pursuant to 5 CFR 
297.306.
    (e) The NCPC shall not act on an appeal of an Adverse Determination 
if the underlying Request becomes the subject of litigation.
    (f) A party seeking court review of an Adverse Determination must 
first appeal the Adverse Determination under this section.


Sec.  603.17  Fees.

    (a) The NCPC shall charge for the duplication of Records under this 
subpart in accordance with the schedule of fees set forth in part 602 
of this chapter. The NCPC shall not charge duplication fees when the 
Requester asks to inspect the Records personally but is provided copies 
at the discretion of the agency.
    (b) The NCPC shall not charge any fees for the search for or review 
of Records requested by an Individual.


Sec.  603.18  Privacy Impact Assessments.

    (a) Consistent with the requirements of the E-Government Act and 
OMB Memorandum M-03-22, the NCPC shall conduct a PIA before:
    (1) Developing or procuring IT systems or projects that collect, 
maintain, or disseminate IIF; or

[[Page 44052]]

    (2) Installing a new collection of information that will be 
collected, maintained, or disseminated using IT and includes IIF for 10 
or more persons (excluding agencies, instrumentalities or employees of 
the federal government).
    (b) The PIA shall be prepared through the coordinated effort of the 
NCPC's privacy Officers (SAOP, PAO), Division Directors, CIO, and IT 
staff.
    (c) As a general rule, the level of detail and content of a PIA 
shall be commensurate with the nature of the information to be 
collected and the size and complexity of the IT system involved. 
Specifically, a PIA shall analyze and describe:
    (1) The information to be collected;
    (2) The reason the information is being collected;
    (3) The intended use for the information;
    (4) The identity of those with whom the information will be shared;
    (5) The opportunities Individuals have to decline to provide the 
information or to consent to particular uses and how to consent;
    (6) The manner in which the information will be secured; and
    (7) The extent to which the system of records is being created 
under the Privacy Act.
    (d) In addition to the information specified in paragraphs (b)(1)-
(7) of this section, the PIA must also identify the choices NCPC made 
regarding an IT system or collection of information as result of 
preparing the PIA.
    (e) The CCB shall verify that a PIA has been prepared prior to 
approving a request to develop or procure information technology that 
collects, maintains, or disseminates Information in Identifiable Form.
    (f) The SAOP shall approve and sign the NCPC's PIA. If the SAOP is 
the Contracting Officer for the IT system that necessitated preparation 
of the PIA, the Executive Director shall approve and sign the PIA.
    (g) Following approval of the PIA, the NCPC shall post the PIA 
document on the NCPC Web site located at www.ncpc.gov.

    Dated: September 14, 2017.
Anne R. Schuyler,
General Counsel.
[FR Doc. 2017-19996 Filed 9-19-17; 8:45 am]
 BILLING CODE 7520-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.