Privacy Act Regulations, 44044-44052 [2017-19996]
Download as PDF
44044
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
(2) Whether any identified
commercial interest of the Requester is
sufficiently large in comparison with
the public interest in disclosure that
disclosure is primarily in the
commercial interest of the Requester. A
Fee Waiver is justified where the public
interest standard of paragraph (b) of this
section is satisfied and that public
interest is greater in magnitude than that
of any identified commercial interest in
disclosure. The NCPC ordinarily shall
presume that a Representative of the
News Media satisfies the public interest
standard, and the public interest will be
the interest primarily served by
disclosure to that Requester. Disclosure
to data brokers or others who merely
compile and market government
information for direct economic return
shall not be presumed to primarily serve
the public interest.
(d) Where only some of the Records
to be released satisfy the requirements
for a Fee Waiver, a Fee Waiver shall be
granted for those Records.
(e) Requests for a Fee Waiver should
address the factors listed in paragraphs
(a) through (c) of this section, insofar as
they apply to each Request. The NCPC
shall exercise its discretion to consider
the cost-effectiveness of its investment
of administrative resources in this
decision-making process in deciding to
grant Fee Waivers.
§ 602.15
Preservation of FOIA records.
sradovich on DSKBBY8HB2PROD with RULES2
(a) The NCPC shall preserve all
correspondence pertaining to FOIA
Requests received and copies or Records
provided until disposition or
destruction is authorized by the NCPC’s
General Records schedule established in
accordance with the National Archives
and Records Administration (NARA)
approved schedule.
(b) Materials that are responsive to a
FOIA Request shall not be disposed of
or destroyed while the Request or a
related lawsuit is pending even if the
Records would otherwise be authorized
for disposition under the NCPC’s
General Records Schedule or NARA or
other NARA-approved records schedule.
Dated: September 14, 2017.
Anne R. Schuyler,
General Counsel.
[FR Doc. 2017–19997 Filed 9–19–17; 8:45 am]
BILLING CODE 7502–20–P
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
accounting of disclosures of those
Records by the NCPC; the procedures by
which an Individual may appeal an
1 CFR Parts 455 and 603
Adverse Determination, and the conduct
of a Privacy Impact Assessment.
Privacy Act Regulations
§ 603.2 Definitions. This section
defines terms frequently used in the
AGENCY: National Capital Planning
regulations. The section includes the
Commission.
five terms defined in the existing
ACTION: Final rule.
regulations—Individual, Maintain,
SUMMARY: The National Capital Planning Record, Routine Use and System of
Records. It adds the definitions for the
Commission (NCPC or Commission)
following terms: Adverse
hereby adopts new regulations
Determination, E-Government Act of
governing NCPC’s implementation of
2002, Information in Identifiable Form
the Privacy Act, as amended and the
privacy provisions of the E-Government (IIF), Information Technology, Privacy
Act Officer (PAO), Privacy Act, Privacy
Act of 2002. NCPC must comply with
the requirements of the Privacy Act and Impact Assessment (PIA), Record,
Requester, Request for Access to a
the privacy provisions of the ERecord, Request for Amendment or
Government Act of 2002 for records
maintained on individuals and personal Correction of a Record, Senior Agency
Official for Privacy (SAOP), System of
information stored as a hard copy or
Records Notice (SORN), and Workday.
electronically.
§ 603.3 Privacy Act program
DATES: This rule is effective October 20,
responsibilities. This section requires
2017.
NCPC to designate a SAOP and a PAO
FOR FURTHER INFORMATION CONTACT:
and outlines the responsibilities
Anne R. Schuyler, General Counsel at
associated with both positions. It also
202–482–7223, anne.schuyler@
enumerates the Privacy Act
ncpc.gov.
responsibilities of other NCPC
SUPPLEMENTARY INFORMATION: NCPC
personnel.
§ 603.4 Standards used to Maintain
adopted its current Privacy Regulations
Records. This section establishes the
(1 CFR part 455) in 1977 pursuant to 5
standards NCPC must follow regarding
U.S.C. 552a. Since that time, Congress
amended the Privacy Act multiple times privacy information. The section
including the E-Government Act of 2002 requires NCPC to limit private
information to only that necessary to
which addressed requirements for
achieve the purposes for which it is
maintaining electronic privacy records.
The regulations update NCPC’s existing collected and stored; to ensure all
information collected is accurate,
Privacy Regulations to reflect
relevant, timely, and complete; and to
amendments over time. The Office of
collect privacy information regarding an
the Federal Register recently assigned
NCPC a new chapter of 1 CFR—Chapter Individual’s rights, benefits and
privileges under federal programs from
VI—to allow NCPC to group all its
the Individual to the maximum extent
regulations together in one chapter.
possible subject to collection from third
NCPC eliminates its Privacy
parties in certain circumstances.
Regulations at 1 CFR part 455 and
§ 603.5 Notice to Individuals
codifies the new Privacy Regulations at
supplying information. This section
1 CFR part 603.
enumerates the information NCPC must
I. Section by Section Analysis of
provide Individuals who are asked to
NCPC’s Privacy Act Regulations
supply information about themselves.
§ 603.1 Purpose and scope. This
The required information enumerated
section advises the purpose of the
includes the purpose for which NCPC
regulations is to implement a privacy
intends to use the information; the
program consistent with the
effects upon an Individual for not
requirements of the Privacy Act and the providing the information; and the form
privacy related provision of the Eof notice NCPC must supply in response
Government Act of 2002. As stated in
to an Individual’s provision of
the section, NCPC’s privacy program
information.
§ 603.6 System of Records (SOR)
extends to all Records maintained by
Notice (SORN). This section requires
NCPC in a System of Records; the
NCPC to publish a notice in the Federal
responsibilities of NCPC to safeguard
Register describing each SOR 40-days
this information; the procedures by
before establishing a new or revising an
which Individuals may request
notification of the existence of a Record existing SOR. The section requires the
SORN to include the purpose of the
about them, access to Records about
them, an amendment to or correction of Records and their location; the types of
Individuals contained in the SOR; the
the Records about them, and an
NATIONAL CAPITAL PLANNING
COMMISSION
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
E:\FR\FM\20SER2.SGM
20SER2
sradovich on DSKBBY8HB2PROD with RULES2
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
authority for maintaining the SOR; the
purpose or reason why NCPC collects
the Records and their intended routine
uses; the sources of the Records in the
SOR; the policies and practices
regarding storage, retrieval, access
controls, retention, and disposal of the
Records; the identification of the agency
official responsible for the SOR; and the
procedures for notifying an Individual
who requests whether the SOR contains
information about him/her.
§ 603.7 Procedures to safeguard
Records. This section describes the
procedures utilized by NCPC to
safeguard hard copy and computerized
records subject to the Privacy Act. The
section requires hard copy Records to be
stored in a locked room subject to
restricted access with external posted
warning signs limiting access to
authorized personnel and/or stored in a
locked container with identical
precautions to those used for a locked
room. The section requires
computerized Records to be maintained
subject to the Safeguards recommended
by the National Institute of Standards
and Technology (NIST).
§ 603.8 Employee conduct. This
section requires employees with duties
requiring access to and handling of
Records to do so in a manner that
protects the integrity, security and
confidentiality of the Records. It
prohibits employee disclosure of
records unless authorized by the rules
in this part, permitted by NCPC’s FOIA
regulations (1 CFR part 602), or
disclosed to the Individual to whom the
Record pertains. The section also
prohibits destruction or alteration of
Records unless required as part of an
employee’s regular duties, required by
regulations published by the National
Archives Record Administration
(NARA), or required by a court of law.
§ 603.9 Government contracts. This
section requires contractors operating a
System of Records on behalf of NCPC to
abide by the requirements of the Privacy
Act. It also equires a NCPC employee to
oversee and manage the SOR operated
by a contractor.
§ 603.10 Conditions for disclosure.
Subject to a list of enumerated
exceptions, this section precludes
disclosure of a Record contained in a
SOR unless prior written consent is
obtained from the Individual to whom
the record pertains.
§ 603.11 Accounting of disclosures.
This section requires NCPC to prepare
an accounting of disclosure when a
Record is disclosed to any person or to
another agency.
The section requires the contents of
an accounting to include the date,
nature, and purpose of the disclosure
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
and the name and address of the person
or agency to whom the disclosure was
made. The section also requires
Accountings of disclosures to be made
available to the Individual about whom
the disclosed Record pertains except
under limited circumstances. It further
requires changes to disclosed Records to
be shared with the person or agency to
whom the Record was originally
disclosed.
§ 603.12 Requests for notification of
the existence of Records. This section
advises Individuals how to determine
whether a System of Records
maintained by NCPC contains Records
pertaining to them. It requires
Individuals either to contact NCPC in
writing or appear at NCPC’s offices by
appointment to make the subject
request. The section requires the NCPC
PAO to respond to a request in writing
within 20 Workdays, to include in the
response the Reason(s) for the PAO’s
determination, and to advise the
requester of the right to appeal the
decision.
§ 603.13 Request for access to
Records. This section advises
Individuals how to access NCPC records
about themselves. It requires
Individuals to request the right to access
Records either in writing or to appear at
NCPC’s offices by appointment. The
section enumerates the information
required to be included in a request, and
obligates Individuals to present certain
specified identification to access the
requested Records. The section also
requires the NCPC PAO to respond to a
request for access in writing within 20
Workdays, to state in the response the
reason for the PAO’s determination, and
to advise the Requester of the right to
appeal an Adverse Determination.
§ 603.14 Requests for amendment or
correction of Records. This section
outlines the process Individuals must
follow to amend or correct Records
about them that they believe are
inaccurate, irrelevant, untimely or
incomplete. The section requires a
request for amendment or correction to
be in writing, include certain specified
information, and to be made only if the
Individual has previously requested and
been granted access to the Record. The
section also requires the NCPC PAO to
respond to a request for amendment or
correction in writing within 20
Workdays, to state the reason for the
PAO’s determination in the response, to
advise the requester of the right to
appeal an Adverse Determination, to
ensure the Record is amended or
corrected in whole or in part if the PAO
approves the request, and to place a
notation of a dispute on the Record if
the request is denied.
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
44045
§ 603.15 Requests for an accounting
of Records disclosures. This section
outlines the process Individuals must
follow to obtain information about
disclosures of Records pertaining to
them. It requires a request for
information about Records disclosed to
include certain specified information.
The section also requires the NCPC PAO
to respond to a request for information
about disclosures in writing within 20
Workdays, to include, in the event of a
disclosure, the date, nature and purpose
of the disclosure, the name and address
of the person or agency to whom the
disclosure was made. The section
further requires the PAO to state the
reason for his/her determination and to
advise the requester of the right to
appeal an Adverse Determination.
§ 602.16 Appeals of Adverse
Determinations. This section describes
the process Individuals must follow to
appeal an Adverse Determination. As
defined in the definition section of the
regulations Adverse Determination
means a decision to withhold any
requested Record in whole or in part; a
decision that the requested Record does
not exist or cannot be located; a
decision that the requested information
is not a Record subject to the Privacy
Act; a decision that a Record, or part
thereof, does not require amendment or
correction; a decision to refuse to
disclose an accounting of disclosure;
and a decision to deny a fee waiver. The
term also encompasses a challenge to
NCPC’s determination that Records have
not been described adequately, that
there are no responsive Records, or that
an adequate search has been conducted.
The section requires an Individual to
submit a written appeal to the Chairman
of the Commission stating the legal,
factual or other basis for the Appeal,
and it requires the Chairman to provide
a written response within 30 Workdays.
The section also requires NCPC to take
prompt action to respond affirmatively
to the Individual’s original request if the
Chairman grants the request and to state
the reasons for a denial and the right to
appeal the denial to a court of
competent jurisdiction.
§ 603.17 Fees. This section states the
fees to be charged for the search for and
duplication of Records. It advises fees
for duplication shall be those
established by NCPC’s FOIA
Regulations, and it states there are no
fees for the search or review of Records
requested by an Individual.
§ 603.18 Privacy Impact
Assessments. This section states when
NCPC must conduct a Privacy Impact
Assessment (PIA), the contents of a PIA,
and the process for approving the PIA.
The section requires a PIA to be
E:\FR\FM\20SER2.SGM
20SER2
44046
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
conducted before developing or
procuring an IT system that collects,
maintains or disseminates Information
that identifies an Individual (IIF or
Information in Identifiable Form) or
when NCPC installs a new collection of
IIF for 10 or more persons other than
employees, or agencies of the federal
government. The section also requires a
PIA to analyze a number of factors
related to the collection, use, owner,
storage and manner of securing the IIF,
and it requires the PIA to be approved
and posted on NCPC’s Web site prior to
undertaking the action that required the
PIA.
II. Summary of and Response to
Comments
NCPC published a proposed rule
addressing revisions to its current
Privacy Act Regulations in the Federal
Register on August 1, 2017 for a 30-day
public comment period. The public
comment period closed on August 31,
2017.
NCPC received no comments on its
proposed Privacy Act Regulations.
Consequently, the proposed Privacy Act
Regulations are now being advertised as
the final Privacy Act Regulations.
III. Compliance With Laws and
Executive Orders
Executive Orders 12866 and 13563
By Memorandum dated October 12,
1993 from Sally Katzen, Administrator,
Office of Information and Regulatory
Affairs (OIRA) to Heads of Executive
Departments and Agencies, and
Independent Agencies, OMB rendered
the NCPC exempt from the requirements
of Executive Order 12866 (See,
Appendix A of cited Memorandum).
Nonetheless, NCPC endeavors to adhere
to the provisions of Executive Orders
and developed this rule in a manner
consistent with the requirements of
Executive Order 13563.
sradovich on DSKBBY8HB2PROD with RULES2
Executive Order 13771
By virtue of its exemption from the
requirements of EO 12866, NCPC is
exempted from this Executive Order.
NCPC confirmed this fact with OIRA.
Regulatory Flexibility Act
As required by the Regulatory
Flexibility Act (5 U.S.C. 601 et seq.), the
NCPC certifies that the rule will not
have a significant economic effect on a
substantial number of small entities.
Small Business Regulatory Enforcement
Fairness Act
This is not a major rule under 5 U.S.C.
804(2), the Small Business Regulatory
Enforcement Fairness Act. It does not
have an annual effect on the economy
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
of $100 million or more; will not cause
a major increase in costs for individuals,
various levels of governments or various
regions; and does not have a significant
adverse effect on completion,
employment, investment, productivity,
innovation or the competitiveness of US
enterprises with foreign enterprises.
Unfunded Mandates Reform Act (2
U.S.C. 1531 et seq.)
A statement regarding the Unfunded
Mandates Reform Act is not required.
The rule neither imposes an unfunded
mandate of more than $100 million per
year nor imposes a significant or unique
effect on State, local or tribal
governments or the private sector.
Federalism (Executive Order 13132)
In accordance with Executive Order
13132, the rule does not have sufficient
federalism implications to warrant the
preparation of a Federalism Assessment.
The rule does not substantially and
directly affect the relationship between
the Federal and state governments.
Civil Justice Reform (Executive Order
12988)
The General Counsel of NCPC has
determined that the rule does not
unduly burden the judicial system and
meets the requirements of Executive
Order 12988 3(a) and 3(b)(2).
Paperwork Reduction Act
The rule does not contain information
collection requirements, and it does not
require a submission to the Office of
Management and Budget under the
Paperwork Reduction Act.
9. National Environmental Policy Act
The rule is of an administrative
nature, and its adoption does not
constitute a major federal action
significantly affecting the quality of the
human environment. NCPC’s adoption
of the rule will have minimal or no
effect on the environment; impose no
significant change to existing
environmental conditions; and will
have no cumulative environmental
impacts.
10. Clarity of the Regulation
Executive Order 12866, Executive
Order 12988, and the Presidential
Memorandum of June 1, 1998 requires
the NCPC to write all rules in plain
language. NCPC maintains the rule
meets this requirement. Those
individuals reviewing the rule who
believe otherwise should submit
specific comments to the addresses
noted above recommending revised
language for those provision or portions
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
thereof where they believe compliance
is lacking.
11. Public Availability of Comments
Be advised that personal information
such as name, address, phone number,
electronic address, or other identifying
personal information contained in a
comment may be made publically
available. Individuals may ask NCPC to
withhold the personal information in
their comment, but there is no guarantee
the agency can do so.
List of Subjects in 1 CFR Parts 455 and
603 Privacy
For the reasons stated in the
preamble, the National Capital Planning
Commission amends 1 CFR Chapters IV
and VI as follows:
CHAPTER IV—MISCELLANEOUS
AGENCIES
PART 455—[Removed]
1. Under the authority of 40 U.S.C.
8711(a) remove part 455.
■
CHAPTER VI—NATIONAL CAPITAL
PLANNING COMMISSION
■
2. Add part 603 to read as follows:
PART 603—PRIVACY ACT
REGULATIONS
Sec.
603.1 Purpose and scope.
603.2 Definitions.
603.3 Privacy Act program responsibilities.
603.4 Standard used to Maintain Records.
603.5 Notice to Individuals supplying
information.
603.6 System of Records Notice or SORN.
603.7 Procedures to safeguard Records.
603.8 Employee conduct.
603.9 Government contracts.
603.10 Conditions of disclosure.
603.11 Accounting for disclosures.
603.12 Requests for notification of the
existence of Records.
603.13 Requests for access to Records.
603.14 Requests for Amendment or
Correction of Records.
603.15 Requests for Accounting of Record
disclosures.
603.16 Appeals of Adverse Determinations.
603.17 Fees.
603.18 Privacy Impact Assessments.
Authority: 5 U.S.C. 552a as amended and
44 U.S.C. ch. 36.
§ 603.1
Purpose and scope.
(a) This part contain the rules the
National Capital Planning Commission
(NCPC) shall follow to implement a
privacy program as required by the
Privacy Act of 1974, 5 U.S.C. 552a
(Privacy Act or Act) and the privacy
provisions of the E-Government Act of
2002 (44 U.S.C. ch. 36) (E-Government
Act). These rules should be read
together with the Privacy Act and the
E:\FR\FM\20SER2.SGM
20SER2
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
privacy related provisions of the EGovernment Act, which provide
additional information respectively
about Records maintained on
individuals and protections for the
privacy of personal information as
agencies implement citizen-centered
electronic Government.
(b) Consistent with the requirements
of the Privacy Act, the rules in this part
apply to all Records maintained by
NCPC in a System of Records; the
responsibilities of the NCPC to
safeguard this information; the
procedures by which Individuals may
request notification of the existence of a
record, request access to Records about
themselves, request an amendment to or
correction of those Records, and request
an accounting of disclosures of those
Records by the NCPC; and the
procedures by which an Individual may
appeal an Adverse Determination.
(c) Consistent with the privacy related
requirements of the E-Government Act,
the rules in this part also address the
conduct of a privacy impact assessment
prior to developing or procuring
information technology that collects,
maintains, or disseminates information
in an identifiable form, initiating a new
electronic collection of information in
identifiable form for 10 or more persons
excluding agencies, instrumentalities or
employees of the federal government, or
changing an existing System that creates
new privacy risks.
(d) In addition to the rules in this
part, the NCPC shall process all Privacy
Act Requests for Access to Records in
accordance with the Freedom of
Information Act (FOIA), 5 U.S.C. 552,
and part 602 of this chapter.
sradovich on DSKBBY8HB2PROD with RULES2
§ 603.2
Definitions.
For purposes of this part, the
following definitions shall apply:
Adverse Determination shall mean a
decision to withhold any requested
Record in whole or in part; a decision
that the requested Record does not exist
or cannot be located; a decision that the
requested information is not a Record
subject to the Privacy Act; a decision
that a Record, or part thereof, does not
require amendment or correction; a
decision to refuse to disclose an
accounting of disclosure; and a decision
to deny a fee waiver. The term shall also
encompass a challenge to NCPC’s
determination that Records have not
been described adequately, that there
are no responsive Records or that an
adequate search has been conducted.
E-Government Act of 2002 shall mean
Public Law 107–347, Dec. 17, 2002, 116
Stat. 2899, the privacy portions of
which are set out as a note under
section 3501 of title 44.
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
Individual shall mean a citizen of the
United States or an alien lawfully
admitted for permanent residence.
Information in Identifiable Form (IIF)
shall mean information in an
Information Technology system or an
online collection that directly identifies
an individual, e.g., name, address, social
security number or other identifying
number or code, telephone number,
email address and the like; or
information by which the NCPC intends
to identify specific individuals in
conjunction with other data elements,
e.g., indirect identification that may
include a combination of gender, race,
birth date, geographic identifiers, and
other descriptions.
Information Technology (IT) shall
mean, as defined in the Clinger Cohen
Act (40 U.S.C. 11101(6)), any
equipment, software or interconnected
system or subsystem that is used in the
automatic acquisition, storage,
manipulation, management, movement,
control, display, switching, interchange,
transmission or reception of data.
Maintain shall include maintain,
collect, use or disseminate a Record.
Privacy Act Officer shall mean the
individual within the NCPC charged
with responsibility for coordinating and
implementing NCPC’s Privacy Act
program.
Privacy Act or Act shall mean the
Privacy Act of 1974, as amended and
codified at 5 U.S.C. 552a.
Privacy Impact Assessment (PIA)
shall mean an analysis of how
information is handled to ensure
handling conforms to applicable legal,
regulatory, and policy requirements
regarding privacy; to determine the risks
and effects of collecting, maintaining
and disseminating information in
identifiable form in an electronic
system; and to examine and evaluate
protections and alternative processes for
handling information to mitigate
potential privacy risks.
Record shall mean any item,
collection, or grouping of information
about an Individual that is Maintained
by the NCPC, including, but not limited
to, an Individual’s education, financial
transactions, medical history, and
criminal or employment history and
that contains a name, or identifying
number, symbol, or other identifying
particular assigned to the Individual,
such as a finger or voice print or
photograph.
Requester shall mean an Individual
who makes a Request for Access to a
Record, a Request for Amendment or
Correction of a Record, or a Request for
Accounting of a Record under the
Privacy Act.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
44047
Request for Access to a Record shall
mean a request by an Individual made
to the NCPC pursuant to subsection
(d)(1) of the Privacy Act to gain access
to his/her Records or to any information
pertaining to him/her in the system and
to permit him/her, or a person of his/her
choosing, to review and copy all or any
portion thereof.
Request for Amendment or Correction
of a Record shall mean a request made
by an Individual to the NCPC pursuant
to subsection (d)(2) of the Privacy Act to
amend or correct a Record pertaining to
him/her.
Routine Use shall mean with respect
to disclosure of a Record, the use of
such Record for a purpose which is
compatible with the purpose for which
the Record is collected.
Senior Agency Official for Privacy
(SAOP) shall mean the individual
within NCPC responsible for
establishing and overseeing the NCPC’s
Privacy Act program.
System of Records or System (SOR or
Systems) shall mean a group of any
Records under the control of the NCPC
from which information is retrieved by
the name of the individual or by some
identifying number, symbol, or other
identifying particular assigned to the
individual.
System of Record Notice (SORN) shall
mean a notice published in the Federal
Register by the NCPC for each new or
revised System of Records intended to
solicit public comment on the System
prior to implementation.
Workday shall mean a regular Federal
workday excluding Saturday, Sunday
and legal Federal holidays when the
federal government is closed.
§ 603.3 Privacy Act program
responsibilities.
(a) The NCPC shall designate a Senior
Agency Official for Privacy (SAOP) to
establish and oversee the NCPC’s
Privacy Act Program and ensure
compliance with privacy laws,
regulations and the NCPC’s privacy
policies. Specific responsibilities of the
SAOP shall include:
(1) Reporting to the Office of
Management and Budget (OMB) and
Congress on the establishment of or
revision to Privacy Act Systems;
(2) Reporting periodically to OMB on
Privacy Act activities as required by law
and OMB;
(3) Signing Privacy Act SORNS for
publication in the Federal Register;
(4) Approving and signing PIAs; and
(5) Serving as head of the agency
response team when responding to a
large-scale information breach.
(b) The NCPC shall designate a
Privacy Act Officer (PAO) to coordinate
E:\FR\FM\20SER2.SGM
20SER2
sradovich on DSKBBY8HB2PROD with RULES2
44048
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
and implement the NCPC’s Privacy Act
program. Specific responsibilities of the
PAO shall include:
(1) Developing, issuing and updating,
as necessary, the NCPC’s Privacy Act
policies, standards, and procedures;
(2) Maintaining Privacy Act program
Records and documentation;
(3) Responding to Privacy Act
Requests for Records and coordinating
appeals of Adverse Determinations for
Requests for access to Records, Requests
for Amendment or Correction of
Records, and Requests for accounting
for disclosures;
(4) Informing Individuals of
information disclosures;
(5) Working with the NCPC’s Division
Directors or designated staff to develop
an appropriate form for collection of
Privacy Act information and including
in the form a Privacy Act statement
explaining the purpose for collecting the
information, how it will be used, the
authority for such collection, its routine
uses, and the effect upon the Individual
of not providing the requested
information;
(6) Assisting in the development of
new or revised SORNs;
(7) Developing SORN reports for OMB
and Congress;
(8) Submitting new or revised SORNS
to the Federal Register for publication;
(9) Assisting in the development of
computer matching systems;
(10) Preparing Privacy Act, Computer
Matching, and other reports to OMB as
required; and
(11) Evaluating PIA to ensure
compliance with E-Government Act
requirements.
(c) Other Privacy related
responsibilities shall be shared by the
NCPC Division Directors, the NCPC
Chief Information Officer (CIO), the
NCPC System Developers and
Designers, the NCPC Configuration
Control Board, the NCPC employees,
and the Chairman of the Commission.
(1) The NCPC Division Directors shall
be responsible for coordinating with the
PAO the implementation of the
requirements set forth in this part for
Systems of Records applicable to their
area of management and the preparation
of PIA prior to development or
procurement of new systems that
collect, maintain or disseminate IIF.
Specific responsibilities include:
(i) Reviewing existing SOR for need,
relevance, and purpose for existence,
and proposing SOR changes to the PAO
as necessary in response to altered
circumstances;
(ii) Reviewing existing SOR to ensure
information is accurate, complete and
up to date;
(iii) Coordinating with the PAO the
preparation of new or revised SORN;
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
(iv) Coordinating with the PAO the
development of an appropriate form for
collection of Privacy Act information
and including in the form a Privacy Act
statement explaining the purpose for
collecting the information, how it will
be used, the authority for such
collection, its routine uses, and the
effect upon the Individual of not
providing the requested information;
(v) Collecting information directly
from individuals whenever possible;
(vii) Assisting the PAO with
providing access to Individuals who
request information in accordance with
the procedures established in §§ 603.12,
603.13, 603.14 and 603.15.
(vii) Amending Records if and when
appropriate, and working with the PAO
to inform recipients of former Records
of such amendments;
(viii) Ensuring that System
information is used only for its stated
purpose;
(ix) Establishing and overseeing
appropriate administrative, technical,
and physical safeguards to ensure
security and confidentiality of Records;
and
(x) Working with the SAOP, the PAO
and Configuration Control Board (CCB)
on SORs, preparing a PIA, if needed,
and obtaining SAOP approval for a PIA
prior to its publication on the NCPC
Web site.
(2) The CIO shall be responsible for
implementing IT security management
to include security for information
protected by the Privacy Act and the EGovernment Act of 2002. Specific
responsibilities include:
(i) Overseeing security policy for
privacy data; and
(ii) Reviewing PIAs prepared for
information security considerations.
(3) The NCPC System Developers and
Designers shall be responsible for
ensuring that the IT system design and
specifications conform to privacy
standards and requirements and that
technical controls are in place for
safeguarding personal information from
unauthorized access.
(4) The NCPC CCB shall, among other
responsibilities, verify that a PIA has
been prepared prior to approving a
request to develop or procure
information technology that collects,
maintains, or disseminates Information
in Identifiable Form.
(5) The NCPC employees shall ensure
that any personal information they use
in the conduct of their official
responsibilities is protected in
accordance with the rules set forth in
this part.
(6) The Chairman of the Commission
shall be responsible for acting on all
appeals of Adverse Determinations.
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
§ 603.4 Standards used to Maintain
Records.
(a) Records Maintained by the NCPC
shall contain only such information
about an Individual as is relevant and
necessary to accomplish a purpose
NCPC must accomplish to comply with
relevant statutes or Executive Orders of
the President.
(b) Records Maintained by the NCPC
and used to make a determination about
an Individual shall be accurate,
relevant, timely, and complete to assure
a fair determination.
(c) Information used by the NCPC in
making a determination about an
Individual’s rights, benefits, and
privileges under federal programs shall
be collected, to the greatest extent
practicable, directly from the
Individual. In deciding whether
collection of information about an
Individual, as opposed to a third party
is practicable, the NCPC shall consider
the following:
(1) Whether the information sought
can only be obtained from a third party;
(2) Whether the cost to collect the
information from an Individual is
unreasonable compared to the cost of
collecting the information from a third
party;
(3) Whether there is a risk of
collecting inaccurate information from a
third party that could result in a
determination adverse to the Individual
concerned;
(4) Whether the information collected
from an Individual requires verification
by a third party; and
(5) Whether the Individual can verify
information collected from third parties.
(d) The NCPC shall not Maintain
Records describing how an Individual
exercises rights guaranteed by the First
Amendment to the Constitution unless
the maintenance of the Record is
expressly authorized by statute or by the
Individual about whom the Record is
Maintained or pertinent to and within
the scope of an authorized law
enforcement activity.
§ 603.5 Notice to Individuals supplying
information.
(a) Each Individual asked to supply
information about himself/herself to be
added to a System of Records shall be
informed by the NCPC of the basis for
requesting the information, its potential
use, and the consequences, if any, of not
supplying the information. Notice to the
Individual shall state at a minimum:
(1) The legal authority for NCPC’s
solicitation of the information and
whether disclosure is mandatory or
voluntary;
(2) The principal purpose(s) for which
the NCPC intends to use the
information;
E:\FR\FM\20SER2.SGM
20SER2
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
(a) The NCPC shall publish a notice
in the Federal Register describing each
System of Records 40-days prior to the
establishment of a new or revision to an
existing System of Records.
(b) The SORN shall include:
(1) The name and location of the
System of Records. The name shall
identify the general purpose, and the
location shall include whether the
system is located on the NCPC’s main
server or central files. The physical
address of either shall also be included.
(2) The categories or types of
Individuals on whom NCPC Maintains
Records in the System of Records;
(3) The categories or types of Records
in the System;
(4) The statutory or Executive Order
authority for Maintenance of the
System;
(5) The purpose(s) or explanation of
why the NCPC collects the particular
Records including identification of all
internal and routine uses;
(6) The policies and practices of the
NCPC regarding storage, retrieval, access
controls, retention and disposal of
Records;
(7) The title and business address of
the agency official responsible for the
identified System of Records;
(8) The NCPC procedures for
notification to an Individual who
requests if a System of Records contains
a Record about the Individual; and
(9) The NCPC sources of Records in
the System.
harm, embarrassment, inconvenience, or
unfairness to any Individual on whom
information is Maintained.
(b) Manual Records subject to the
Privacy Act shall be maintained by the
NCPC in a manner commensurate with
the sensitivity of the information
contained in the Records. The following
minimum safeguards or safeguards
affording comparable protection shall
apply to manual Systems of Records:
(1) The NCPC shall post areas where
Records are maintained or regularly
used with an appropriate warning sign
stating access to the Records shall be
limited to authorized persons. The
warning shall also advise that the
Privacy Act prescribes criminal
penalties for unauthorized disclosure of
Records subject to the Act.
(2) During work hours, the NCPC shall
protect areas in which Records are
Maintained or regularly used by
restricting occupancy of the area to
authorized persons or storing the
Records in a locked container and room.
(3) During non-working hours, access
to Records shall be restricted by their
storage in a locked storage container and
room.
(4) Any lock used to secure a room
where Records are stored shall not be
capable of being disengaged with a
master key that opens rooms other than
those in which Records are stored.
(c) Computerized Records subject to
the Privacy Act shall be maintained, at
a minimum, subject to the safeguards
recommended by the National Institute
of Standards and Technology (NIST)
Special Publications 800–53,
Recommended Security Controls for
Federal Information Systems and
Organizations as revised from time to
time or any superseding guidance
offered by NIST or other federal agency
charged with the responsibility for
providing recommended safeguards for
computerized Records subject to the
Privacy Act.
(d) NCPC shall maintain a System of
Records comprised of Office of
Personnel Management (OPM)
personnel Records in accordance with
standards prescribed by OPM and
published at 5 CFR 293.106–293.107.
§ 603.7
§ 603.8
(3) The potential routine uses of the
information by the NCPC as published
in a Systems of Records Notice; and
(4) The effects upon the individual, if
any, of not providing all or any part of
the requested Information to the NCPC.
(b) When NCPC collects information
on a standard form, the notice to the
Individual shall either be provided on
the form, on a tear off sheet attached to
the form, or on a separate form,
whichever is deemed the most practical
by the NCPC.
(c) NCPC may ask an Individual to
acknowledge, in writing, receipt of the
notice required by this section.
sradovich on DSKBBY8HB2PROD with RULES2
§ 603.6
SORN.
System of Records Notice or
Procedures to safeguard Records.
(a) The NCPC shall implement the
procedures set forth in this section to
insure sufficient administrative,
technical and physical safeguards exist
to protect the security and
confidentiality of Records. The
enumerated procedures shall also
protect against any anticipated threats
or hazards to the security of Records
with the potential to cause substantial
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
Employee conduct.
(a) Employees with duties requiring
access to and handling of Records shall,
at all times, take care to protect the
integrity, security, and confidentiality of
the Records.
(b) No employee of the NCPC shall
disclose Records unless disclosure is
permitted by § 603.10(b), by part 602 of
this chapter, or disclosed to the
Individual to whom the Record pertains.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
44049
(c) No employee of the NCPC shall
alter or destroy a Record unless such
Record or destruction is undertaken in
the course of the employee’s regular
duties or such alteration or destruction
is allowed pursuant to regulations
published by the National Archives and
Records Administration (NARA) or
required by a court of competent
jurisdiction. Records shall not be
destroyed or disposed of while they are
the subject of a pending request, appeal
or lawsuit under the Privacy Act.
§ 603.9
Government contracts.
(a) When a contract provides for third
party operation of a SOR on behalf of
the NCPC to accomplish a NCPC
function, the contract shall require that
the requirements of the Privacy Act and
the rules in this part be applied to such
System.
(b) The Division Director responsible
for the contract shall designate a NCPC
employee to oversee and manage the
SOR operated by the contractor.
§ 603.10
Conditions for disclosure.
(a) Except as set forth in paragraph (b)
of this section, no Record contained in
a SOR shall be disclosed by any means
of communication to any person, or to
another agency, unless prior written
consent is obtained from the Individual
to whom the Record pertains.
(b) The limitations on disclosure
contained in paragraph (a) of this
section shall not apply when disclosure
of a Record is:
(1) To employees of the NCPC for use
in the performance of their duties;
(2) Required by the Freedom of
Information Act (FOIA), 5 U.S.C. 555;
(3) For a Routine Use as described in
a SORN;
(4) To the Bureau of Census for
statistical purposes, provided that the
Record must be transferred in a form
that precludes individual identification;
(5) To an Individual who provides
NCPC adequate written assurance that
the Record shall be used solely for
statistical or research purposes,
provided that the Record must be
transferred in a form that precludes
Individual identification;
(6) To the NARA because the Record
warrants permanent retention because
of historical or other national value as
determined by NARA or to permit
NARA to determine whether the Record
has such value;
(7) To a law enforcement agency for
a civil or criminal law enforcement
activity, provided that the law
enforcement agency must submit a
written request to the NCPC specifying
the Record(s) sought and the purpose for
which they will be used;
E:\FR\FM\20SER2.SGM
20SER2
44050
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
(8) To any person upon demonstration
of compelling information that an
Individual’s health or safety is at stake
and provided that upon disclosure,
notification is given to the Individual to
whom the Record pertains at that
Individual’s last known address;
(9) To either House of Congress, and
any committee or subcommittee thereof,
to include joint committees of both
houses and any subcommittees thereof,
when a Record falls within their
jurisdiction;
(10) To the Comptroller General, or
any of his authorized representatives, to
allow the Government Accountability
Office to perform its duties;
(11) Pursuant to a court order by a
court of competent jurisdiction; and
(12) To a consumer reporting agency
trying to collect a claim of the
government as authorized by 31 U.S.C.
3711(e).
§ 603.11
Accounting of disclosures.
(a) Except for disclosures made under
§§ 603.10(b)(1)–(2), when a Record is
disclosed to any person, or to another
agency, NCPC shall prepare an
accounting of the disclosure. The
accounting shall Record the date,
nature, and purpose of the disclosure
and the name and address of the person
or agency to whom the disclosure was
made. The NCPC shall maintain all
accountings for a minimum of five years
or the life of the Record, whichever is
greatest, after the disclosure is made.
(b) Except for disclosures under
§ 603.10(b)(7), accountings of all
disclosures shall be made available to
the Individual about whom the
disclosed Records pertains at his/her
request. Such request shall be made in
accordance with the requirements of
§ 603.15.
(c) For any disclosure for which an
accounting is made, if a subsequent
amendment or correction or notation of
dispute is made to a Record by the
NCPC in accordance with the
requirements of § 603.14, the Individual
and/or agency to whom the Record was
originally disclosed shall be informed.
sradovich on DSKBBY8HB2PROD with RULES2
§ 603.12 Requests for notification of the
existence of Records.
(a) An Individual seeking to
determine whether a System of Records
contains Records pertaining to him/her
shall do so by appearing in person at
NCPC’s official place of business or by
written correspondence to the NCPC
PAO. In-person requests shall be by
appointment only with the PAO on a
Workday during regular office hours.
Written requests sent via the U.S. mail
shall be directed to the Privacy Act
Officer at NCPC’s official address listed
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
at www.ncpc.gov. If sent via email or
facsimile, the request shall be directed
to the email address or facsimile
number indicated on the NCPC Web
site. To expedite internal handling of
Privacy Act Requests, the words Privacy
Act Request shall appear prominently
on the envelop or the subject line of an
email or facsimile cover sheet.
(b) The Request shall state that the
Individual is seeking information
concerning the existence of Records
about himself/herself and shall supply
information describing the System
where such Records might be
maintained as set forth in a System of
Record Notice.
(c) The NCPC PAO shall notify the
Requester in writing within 20
Workdays of the Request whether a
System contains Records pertaining to
him/her unless the Records were
compiled in reasonable anticipation of a
civil action or proceeding or the Records
are NCPC employee Records under the
jurisdiction of the OPM. In both of the
later cases the Request shall be denied.
If the Request is denied because the
Record(s) is/are under the jurisdiction of
the OPM, the response shall advise the
Requester to contact OPM. If the PAO
denies the Request, the response shall
state the reason for the denial and
advise the Requester of the right to
appeal the decision within 60 days of
the date of the letter denying the request
in accordance with the requirements set
forth in § 603.16.
§ 603.13
Requests for access to Records.
(a) An Individual seeking access to
Records about himself/herself shall do
so by appearing in person at NCPC’s
official place of business or by written
correspondence to the NCPC Privacy
Act Officer. In-person requests shall be
by appointment only with the Privacy
Act Officer on a Workday during regular
office hours. For written requests sent
via the U.S. mail, the Request shall be
directed to the Privacy Act Officer at
NCPC’s official address listed at
www.ncpc.gov. If sent via email or
facsimile, the request shall be directed
to the email address or facsimile
number indicated on the NCPC Web
site. To expedite internal handling of
Privacy Act Requests, the words Privacy
Act Request shall appear prominently
on the envelop or the subject line of an
email or facsimile cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant
to the Privacy Act;
(2) Describe the requested Records in
sufficient detail to enable their location
including, without limitation, the dates
the Records were compiled and the
name or identifying number of each
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
System of Record in which they are kept
as identified in the list of NCPC’s
SORNs published on its Web site; and
(3) State pursuant to the fee schedule
in set forth in § 603.17 a willingness to
pay all fees associated with the Privacy
Act Request or the maximum fee the
Requester is willing to pay.
(c) The NCPC shall require
identification as follows before releasing
Records to an Individual:
(1) An Individual Requesting Privacy
Act Records in person shall present a
valid, photographic form of
identification such as a driver’s license,
employee identification card, or
passport that renders it possible for the
PAO to verify that the Individual is the
same Individual as contained in the
requested Records.
(2) An Individual Requesting Privacy
Act Records by mail shall state their full
name, address and date of birth in their
correspondence. The Request must be
signed and the signature must either be
notarized or submitted with a statement
signed and dated as follows: I declare
under penalty of perjury that the
foregoing facts establishing my
identification are true and correct.
(d) The PAO shall determine within
20 Workdays whether to grant or deny
an Individual’s Request for Access to
the requested Record(s) and notify the
Individual in writing accordingly. The
PAO’s response shall state his/her
determination and the reasons therefor.
If the Request is denied because the
Record(s) is/are under the jurisdiction of
the OPM, the response shall advise the
Requester to contact OPM. In the case of
an Adverse Determination, the written
notification shall advise the Individual
of his/her right to appeal the Adverse
Determination in accordance with the
requirements of § 603.16.
§ 603.14 Requests for Amendment or
Correction of Records.
(a) An Individual seeking to amend or
correct a Record pertaining to him/her
that he/she believes to be inaccurate,
irrelevant, untimely or incomplete shall
submit a written request to the PAO at
the address listed on NCPC’s official
Web site www.ncpc.gov. If sent via
email or facsimile, the Request shall be
directed to the email address or
facsimile number indicated on the
NCPC Web site. To expedite internal
handling, the words Privacy Act
Request shall appear prominently on the
envelop or the subject line of an email
or facsimile cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant
to the Privacy Act;
(2) Describe the requested Record in
sufficient detail to enable its location
E:\FR\FM\20SER2.SGM
20SER2
sradovich on DSKBBY8HB2PROD with RULES2
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
including, without limitation, the dates
the Records was compiled and the name
or identifying number of the System of
Record in which the Record is kept as
identified in the list of NCPC’s SORNs
published on its Web site;
(3) State in detail the reasons why the
Record, or objectionable portion(s)
thereof, is/are not accurate, relevant,
timely or complete.
(4) Include copies of documents or
evidence relied upon in support of the
Request for Amendment or Correction;
and
(5) State specifically, and in detail,
the changes sought to the Record, and
if the changes include rewriting the
Record, or portions thereof, or adding
new language, the Individual shall
propose specific language to implement
the requested changes.
(c) A request to Amend or Correct a
Record shall be submitted only if the
Requester has previously requested and
been granted access to the Record and
has inspected or been given a copy of
the Record.
(d) The PAO shall render a decision
within 20 Workdays. If the Request for
an Amendment or Correction fails to
meet the requirements of paragraphs
(b)(1)–(5) of this section, the PAO shall
advise the Individual of the deficiency
and advise what additional information
is required to act upon the Request. The
timeframe for a decision on the Request
shall be tolled (stopped) during the
pendency of a request for additional
information and shall resume when the
additional information is received. If the
Requester fails to submit the requested
additional information within a
reasonable time, the PAO shall reject the
Request.
(e) The PAO’s decision on a Request
for Amendment or Correction shall be in
writing and state the basis for the
decision. If the Request is denied
because the Record(s) is/are under the
jurisdiction of the OPM, the response
shall advise the Requester to contact
OPM. In the event of an Adverse
Determination, the written notification
shall advise the Individual of his/her
right to appeal the Adverse
Determination in accordance with the
requirements of § 603.16.
(f) If the PAO approves the Request
for Amendment or Correction, the PAO
shall ensure that subject Record is
amended or corrected, in whole or in
part. If the PAO denies the Request for
Amendment or Correction, a notation of
dispute shall be noted on the Record. If
an accounting of disclosure has been
made pursuant to § 603.11, the PAO
shall advise all previous recipients of
the Record that an amendment or
correction or notation of dispute has
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
been made and, if applicable, the
substance of the change.
§ 603.15 Requests for Accounting of
Record disclosures.
(a) An Individual seeking information
regarding an accounting of disclosure of
a Record pertaining to him/her made in
accordance with § 603.11 shall submit a
written request to the PAO at the
address listed on NCPC’s official Web
site www.ncpc.gov. If sent via email or
facsimile, the Request shall be directed
to the email address or facsimile
number indicated on the NCPC Web
site. To expedite internal handling, the
words Privacy Act Request shall appear
prominently on the envelop or the
subject line of an email or facsimile
cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant
to the Privacy Act; and
(2) Describe the requested Record in
sufficient detail to determine whether it
is or is not contained in an accounting
of disclosure.
(c) The NCPC PAO shall notify the
Requester in writing within 20
Workdays of the Request and advise if
the Record was included in an
accounting of disclosure. In the event of
a disclosure, the response shall include
the date, nature, and purpose of the
disclosure and the name and address of
the person or agency to whom the
disclosure was made. If the Request is
denied because the Record(s) is/are
under the jurisdiction of the OPM, the
response shall advise the Requester to
contact OPM. In the event of an Adverse
Determination, the written notification
shall advise the Individual of his/her
right to appeal the Adverse
Determination in accordance with the
requirements of § 603.16.
(a) Except for appeals pursuant to
paragraph (d) of this section, an appeal
of an Adverse Determination shall be
made in writing addressed to the
Chairman (Chairman) of the National
Capital Planning Commission at the
address listed on NCPC’s official Web
site www.ncpc.gov. If sent via email or
facsimile, the Request shall be directed
to the email address or facsimile
number indicated on the NCPC Web
site. To expedite internal handling, the
words Privacy Act Request shall appear
prominently on the envelop or the
subject line of an email or facsimile
cover sheet. An appeal of an Adverse
Determination shall be made within 30
Workdays of the date of the decision.
(b) An appeal of an Adverse
Determination shall include a statement
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
of the legal, factual or other basis for the
Requester’s objection to an Adverse
Determination; a daytime phone number
or email where the Requester can be
reached if the Chairman requires
additional information or clarification
regarding the appeal; copies of the
initial request and the PAO’s written
response; and for an Adverse
Determination regarding a fee waiver, a
demonstration of compliance with part
602 of this chapter.
(c) The Chairman shall respond to an
appeal of an Adverse Determination in
writing within 20 Workdays of receipt
of the appeal. If the Chairman grants the
appeal, the Chairman shall notify the
Requester, and the NCPC shall take
prompt action to respond affirmatively
to the original Request upon receipt of
any fees that may be required. If the
Chairman denies the appeal, the letter
shall state the reason(s) for the denial,
a statement that the decision is final,
and advise the Requester of the right to
seek judicial review of the denial in the
District Court of the United States in
either the district in which the
Requester resides, the district in which
the Requester has his/her principal
place of business or the District of
Columbia.
(d) The appeal of an Adverse
Determination based on OPM
jurisdiction of the Records shall be
made to OPM pursuant to 5 CFR
297.306.
(e) The NCPC shall not act on an
appeal of an Adverse Determination if
the underlying Request becomes the
subject of litigation.
(f) A party seeking court review of an
Adverse Determination must first appeal
the Adverse Determination under this
section.
§ 603.17
§ 603.16 Appeals of Adverse
Determinations.
44051
Fees.
(a) The NCPC shall charge for the
duplication of Records under this
subpart in accordance with the schedule
of fees set forth in part 602 of this
chapter. The NCPC shall not charge
duplication fees when the Requester
asks to inspect the Records personally
but is provided copies at the discretion
of the agency.
(b) The NCPC shall not charge any
fees for the search for or review of
Records requested by an Individual.
§ 603.18
Privacy Impact Assessments.
(a) Consistent with the requirements
of the E-Government Act and OMB
Memorandum M–03–22, the NCPC shall
conduct a PIA before:
(1) Developing or procuring IT
systems or projects that collect,
maintain, or disseminate IIF; or
E:\FR\FM\20SER2.SGM
20SER2
44052
Federal Register / Vol. 82, No. 181 / Wednesday, September 20, 2017 / Rules and Regulations
sradovich on DSKBBY8HB2PROD with RULES2
(2) Installing a new collection of
information that will be collected,
maintained, or disseminated using IT
and includes IIF for 10 or more persons
(excluding agencies, instrumentalities or
employees of the federal government).
(b) The PIA shall be prepared through
the coordinated effort of the NCPC’s
privacy Officers (SAOP, PAO), Division
Directors, CIO, and IT staff.
(c) As a general rule, the level of
detail and content of a PIA shall be
commensurate with the nature of the
information to be collected and the size
and complexity of the IT system
involved. Specifically, a PIA shall
analyze and describe:
(1) The information to be collected;
(2) The reason the information is
being collected;
VerDate Sep<11>2014
18:44 Sep 19, 2017
Jkt 241001
(3) The intended use for the
information;
(4) The identity of those with whom
the information will be shared;
(5) The opportunities Individuals
have to decline to provide the
information or to consent to particular
uses and how to consent;
(6) The manner in which the
information will be secured; and
(7) The extent to which the system of
records is being created under the
Privacy Act.
(d) In addition to the information
specified in paragraphs (b)(1)–(7) of this
section, the PIA must also identify the
choices NCPC made regarding an IT
system or collection of information as
result of preparing the PIA.
(e) The CCB shall verify that a PIA has
been prepared prior to approving a
PO 00000
Frm 00018
Fmt 4701
Sfmt 9990
request to develop or procure
information technology that collects,
maintains, or disseminates Information
in Identifiable Form.
(f) The SAOP shall approve and sign
the NCPC’s PIA. If the SAOP is the
Contracting Officer for the IT system
that necessitated preparation of the PIA,
the Executive Director shall approve
and sign the PIA.
(g) Following approval of the PIA, the
NCPC shall post the PIA document on
the NCPC Web site located at
www.ncpc.gov.
Dated: September 14, 2017.
Anne R. Schuyler,
General Counsel.
[FR Doc. 2017–19996 Filed 9–19–17; 8:45 am]
BILLING CODE 7520–01–P
E:\FR\FM\20SER2.SGM
20SER2
Agencies
[Federal Register Volume 82, Number 181 (Wednesday, September 20, 2017)]
[Rules and Regulations]
[Pages 44044-44052]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-19996]
-----------------------------------------------------------------------
NATIONAL CAPITAL PLANNING COMMISSION
1 CFR Parts 455 and 603
Privacy Act Regulations
AGENCY: National Capital Planning Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The National Capital Planning Commission (NCPC or Commission)
hereby adopts new regulations governing NCPC's implementation of the
Privacy Act, as amended and the privacy provisions of the E-Government
Act of 2002. NCPC must comply with the requirements of the Privacy Act
and the privacy provisions of the E-Government Act of 2002 for records
maintained on individuals and personal information stored as a hard
copy or electronically.
DATES: This rule is effective October 20, 2017.
FOR FURTHER INFORMATION CONTACT: Anne R. Schuyler, General Counsel at
202-482-7223, anne.schuyler@ncpc.gov.
SUPPLEMENTARY INFORMATION: NCPC adopted its current Privacy Regulations
(1 CFR part 455) in 1977 pursuant to 5 U.S.C. 552a. Since that time,
Congress amended the Privacy Act multiple times including the E-
Government Act of 2002 which addressed requirements for maintaining
electronic privacy records. The regulations update NCPC's existing
Privacy Regulations to reflect amendments over time. The Office of the
Federal Register recently assigned NCPC a new chapter of 1 CFR--Chapter
VI--to allow NCPC to group all its regulations together in one chapter.
NCPC eliminates its Privacy Regulations at 1 CFR part 455 and
codifies the new Privacy Regulations at 1 CFR part 603.
I. Section by Section Analysis of NCPC's Privacy Act Regulations
Sec. 603.1 Purpose and scope. This section advises the purpose of
the regulations is to implement a privacy program consistent with the
requirements of the Privacy Act and the privacy related provision of
the E-Government Act of 2002. As stated in the section, NCPC's privacy
program extends to all Records maintained by NCPC in a System of
Records; the responsibilities of NCPC to safeguard this information;
the procedures by which Individuals may request notification of the
existence of a Record about them, access to Records about them, an
amendment to or correction of the Records about them, and an accounting
of disclosures of those Records by the NCPC; the procedures by which an
Individual may appeal an Adverse Determination, and the conduct of a
Privacy Impact Assessment.
Sec. 603.2 Definitions. This section defines terms frequently used
in the regulations. The section includes the five terms defined in the
existing regulations--Individual, Maintain, Record, Routine Use and
System of Records. It adds the definitions for the following terms:
Adverse Determination, E-Government Act of 2002, Information in
Identifiable Form (IIF), Information Technology, Privacy Act Officer
(PAO), Privacy Act, Privacy Impact Assessment (PIA), Record, Requester,
Request for Access to a Record, Request for Amendment or Correction of
a Record, Senior Agency Official for Privacy (SAOP), System of Records
Notice (SORN), and Workday.
Sec. 603.3 Privacy Act program responsibilities. This section
requires NCPC to designate a SAOP and a PAO and outlines the
responsibilities associated with both positions. It also enumerates the
Privacy Act responsibilities of other NCPC personnel.
Sec. 603.4 Standards used to Maintain Records. This section
establishes the standards NCPC must follow regarding privacy
information. The section requires NCPC to limit private information to
only that necessary to achieve the purposes for which it is collected
and stored; to ensure all information collected is accurate, relevant,
timely, and complete; and to collect privacy information regarding an
Individual's rights, benefits and privileges under federal programs
from the Individual to the maximum extent possible subject to
collection from third parties in certain circumstances.
Sec. 603.5 Notice to Individuals supplying information. This
section enumerates the information NCPC must provide Individuals who
are asked to supply information about themselves. The required
information enumerated includes the purpose for which NCPC intends to
use the information; the effects upon an Individual for not providing
the information; and the form of notice NCPC must supply in response to
an Individual's provision of information.
Sec. 603.6 System of Records (SOR) Notice (SORN). This section
requires NCPC to publish a notice in the Federal Register describing
each SOR 40-days before establishing a new or revising an existing SOR.
The section requires the SORN to include the purpose of the Records and
their location; the types of Individuals contained in the SOR; the
[[Page 44045]]
authority for maintaining the SOR; the purpose or reason why NCPC
collects the Records and their intended routine uses; the sources of
the Records in the SOR; the policies and practices regarding storage,
retrieval, access controls, retention, and disposal of the Records; the
identification of the agency official responsible for the SOR; and the
procedures for notifying an Individual who requests whether the SOR
contains information about him/her.
Sec. 603.7 Procedures to safeguard Records. This section describes
the procedures utilized by NCPC to safeguard hard copy and computerized
records subject to the Privacy Act. The section requires hard copy
Records to be stored in a locked room subject to restricted access with
external posted warning signs limiting access to authorized personnel
and/or stored in a locked container with identical precautions to those
used for a locked room. The section requires computerized Records to be
maintained subject to the Safeguards recommended by the National
Institute of Standards and Technology (NIST).
Sec. 603.8 Employee conduct. This section requires employees with
duties requiring access to and handling of Records to do so in a manner
that protects the integrity, security and confidentiality of the
Records. It prohibits employee disclosure of records unless authorized
by the rules in this part, permitted by NCPC's FOIA regulations (1 CFR
part 602), or disclosed to the Individual to whom the Record pertains.
The section also prohibits destruction or alteration of Records unless
required as part of an employee's regular duties, required by
regulations published by the National Archives Record Administration
(NARA), or required by a court of law.
Sec. 603.9 Government contracts. This section requires contractors
operating a System of Records on behalf of NCPC to abide by the
requirements of the Privacy Act. It also equires a NCPC employee to
oversee and manage the SOR operated by a contractor.
Sec. 603.10 Conditions for disclosure. Subject to a list of
enumerated exceptions, this section precludes disclosure of a Record
contained in a SOR unless prior written consent is obtained from the
Individual to whom the record pertains.
Sec. 603.11 Accounting of disclosures. This section requires NCPC
to prepare an accounting of disclosure when a Record is disclosed to
any person or to another agency.
The section requires the contents of an accounting to include the
date, nature, and purpose of the disclosure and the name and address of
the person or agency to whom the disclosure was made. The section also
requires Accountings of disclosures to be made available to the
Individual about whom the disclosed Record pertains except under
limited circumstances. It further requires changes to disclosed Records
to be shared with the person or agency to whom the Record was
originally disclosed.
Sec. 603.12 Requests for notification of the existence of Records.
This section advises Individuals how to determine whether a System of
Records maintained by NCPC contains Records pertaining to them. It
requires Individuals either to contact NCPC in writing or appear at
NCPC's offices by appointment to make the subject request. The section
requires the NCPC PAO to respond to a request in writing within 20
Workdays, to include in the response the Reason(s) for the PAO's
determination, and to advise the requester of the right to appeal the
decision.
Sec. 603.13 Request for access to Records. This section advises
Individuals how to access NCPC records about themselves. It requires
Individuals to request the right to access Records either in writing or
to appear at NCPC's offices by appointment. The section enumerates the
information required to be included in a request, and obligates
Individuals to present certain specified identification to access the
requested Records. The section also requires the NCPC PAO to respond to
a request for access in writing within 20 Workdays, to state in the
response the reason for the PAO's determination, and to advise the
Requester of the right to appeal an Adverse Determination.
Sec. 603.14 Requests for amendment or correction of Records. This
section outlines the process Individuals must follow to amend or
correct Records about them that they believe are inaccurate,
irrelevant, untimely or incomplete. The section requires a request for
amendment or correction to be in writing, include certain specified
information, and to be made only if the Individual has previously
requested and been granted access to the Record. The section also
requires the NCPC PAO to respond to a request for amendment or
correction in writing within 20 Workdays, to state the reason for the
PAO's determination in the response, to advise the requester of the
right to appeal an Adverse Determination, to ensure the Record is
amended or corrected in whole or in part if the PAO approves the
request, and to place a notation of a dispute on the Record if the
request is denied.
Sec. 603.15 Requests for an accounting of Records disclosures.
This section outlines the process Individuals must follow to obtain
information about disclosures of Records pertaining to them. It
requires a request for information about Records disclosed to include
certain specified information. The section also requires the NCPC PAO
to respond to a request for information about disclosures in writing
within 20 Workdays, to include, in the event of a disclosure, the date,
nature and purpose of the disclosure, the name and address of the
person or agency to whom the disclosure was made. The section further
requires the PAO to state the reason for his/her determination and to
advise the requester of the right to appeal an Adverse Determination.
Sec. 602.16 Appeals of Adverse Determinations. This section
describes the process Individuals must follow to appeal an Adverse
Determination. As defined in the definition section of the regulations
Adverse Determination means a decision to withhold any requested Record
in whole or in part; a decision that the requested Record does not
exist or cannot be located; a decision that the requested information
is not a Record subject to the Privacy Act; a decision that a Record,
or part thereof, does not require amendment or correction; a decision
to refuse to disclose an accounting of disclosure; and a decision to
deny a fee waiver. The term also encompasses a challenge to NCPC's
determination that Records have not been described adequately, that
there are no responsive Records, or that an adequate search has been
conducted. The section requires an Individual to submit a written
appeal to the Chairman of the Commission stating the legal, factual or
other basis for the Appeal, and it requires the Chairman to provide a
written response within 30 Workdays. The section also requires NCPC to
take prompt action to respond affirmatively to the Individual's
original request if the Chairman grants the request and to state the
reasons for a denial and the right to appeal the denial to a court of
competent jurisdiction.
Sec. 603.17 Fees. This section states the fees to be charged for
the search for and duplication of Records. It advises fees for
duplication shall be those established by NCPC's FOIA Regulations, and
it states there are no fees for the search or review of Records
requested by an Individual.
Sec. 603.18 Privacy Impact Assessments. This section states when
NCPC must conduct a Privacy Impact Assessment (PIA), the contents of a
PIA, and the process for approving the PIA. The section requires a PIA
to be
[[Page 44046]]
conducted before developing or procuring an IT system that collects,
maintains or disseminates Information that identifies an Individual
(IIF or Information in Identifiable Form) or when NCPC installs a new
collection of IIF for 10 or more persons other than employees, or
agencies of the federal government. The section also requires a PIA to
analyze a number of factors related to the collection, use, owner,
storage and manner of securing the IIF, and it requires the PIA to be
approved and posted on NCPC's Web site prior to undertaking the action
that required the PIA.
II. Summary of and Response to Comments
NCPC published a proposed rule addressing revisions to its current
Privacy Act Regulations in the Federal Register on August 1, 2017 for a
30-day public comment period. The public comment period closed on
August 31, 2017.
NCPC received no comments on its proposed Privacy Act Regulations.
Consequently, the proposed Privacy Act Regulations are now being
advertised as the final Privacy Act Regulations.
III. Compliance With Laws and Executive Orders
Executive Orders 12866 and 13563
By Memorandum dated October 12, 1993 from Sally Katzen,
Administrator, Office of Information and Regulatory Affairs (OIRA) to
Heads of Executive Departments and Agencies, and Independent Agencies,
OMB rendered the NCPC exempt from the requirements of Executive Order
12866 (See, Appendix A of cited Memorandum). Nonetheless, NCPC
endeavors to adhere to the provisions of Executive Orders and developed
this rule in a manner consistent with the requirements of Executive
Order 13563.
Executive Order 13771
By virtue of its exemption from the requirements of EO 12866, NCPC
is exempted from this Executive Order. NCPC confirmed this fact with
OIRA.
Regulatory Flexibility Act
As required by the Regulatory Flexibility Act (5 U.S.C. 601 et
seq.), the NCPC certifies that the rule will not have a significant
economic effect on a substantial number of small entities.
Small Business Regulatory Enforcement Fairness Act
This is not a major rule under 5 U.S.C. 804(2), the Small Business
Regulatory Enforcement Fairness Act. It does not have an annual effect
on the economy of $100 million or more; will not cause a major increase
in costs for individuals, various levels of governments or various
regions; and does not have a significant adverse effect on completion,
employment, investment, productivity, innovation or the competitiveness
of US enterprises with foreign enterprises.
Unfunded Mandates Reform Act (2 U.S.C. 1531 et seq.)
A statement regarding the Unfunded Mandates Reform Act is not
required. The rule neither imposes an unfunded mandate of more than
$100 million per year nor imposes a significant or unique effect on
State, local or tribal governments or the private sector.
Federalism (Executive Order 13132)
In accordance with Executive Order 13132, the rule does not have
sufficient federalism implications to warrant the preparation of a
Federalism Assessment. The rule does not substantially and directly
affect the relationship between the Federal and state governments.
Civil Justice Reform (Executive Order 12988)
The General Counsel of NCPC has determined that the rule does not
unduly burden the judicial system and meets the requirements of
Executive Order 12988 3(a) and 3(b)(2).
Paperwork Reduction Act
The rule does not contain information collection requirements, and
it does not require a submission to the Office of Management and Budget
under the Paperwork Reduction Act.
9. National Environmental Policy Act
The rule is of an administrative nature, and its adoption does not
constitute a major federal action significantly affecting the quality
of the human environment. NCPC's adoption of the rule will have minimal
or no effect on the environment; impose no significant change to
existing environmental conditions; and will have no cumulative
environmental impacts.
10. Clarity of the Regulation
Executive Order 12866, Executive Order 12988, and the Presidential
Memorandum of June 1, 1998 requires the NCPC to write all rules in
plain language. NCPC maintains the rule meets this requirement. Those
individuals reviewing the rule who believe otherwise should submit
specific comments to the addresses noted above recommending revised
language for those provision or portions thereof where they believe
compliance is lacking.
11. Public Availability of Comments
Be advised that personal information such as name, address, phone
number, electronic address, or other identifying personal information
contained in a comment may be made publically available. Individuals
may ask NCPC to withhold the personal information in their comment, but
there is no guarantee the agency can do so.
List of Subjects in 1 CFR Parts 455 and 603 Privacy
For the reasons stated in the preamble, the National Capital
Planning Commission amends 1 CFR Chapters IV and VI as follows:
CHAPTER IV--MISCELLANEOUS AGENCIES
PART 455--[Removed]
0
1. Under the authority of 40 U.S.C. 8711(a) remove part 455.
CHAPTER VI--NATIONAL CAPITAL PLANNING COMMISSION
0
2. Add part 603 to read as follows:
PART 603--PRIVACY ACT REGULATIONS
Sec.
603.1 Purpose and scope.
603.2 Definitions.
603.3 Privacy Act program responsibilities.
603.4 Standard used to Maintain Records.
603.5 Notice to Individuals supplying information.
603.6 System of Records Notice or SORN.
603.7 Procedures to safeguard Records.
603.8 Employee conduct.
603.9 Government contracts.
603.10 Conditions of disclosure.
603.11 Accounting for disclosures.
603.12 Requests for notification of the existence of Records.
603.13 Requests for access to Records.
603.14 Requests for Amendment or Correction of Records.
603.15 Requests for Accounting of Record disclosures.
603.16 Appeals of Adverse Determinations.
603.17 Fees.
603.18 Privacy Impact Assessments.
Authority: 5 U.S.C. 552a as amended and 44 U.S.C. ch. 36.
Sec. 603.1 Purpose and scope.
(a) This part contain the rules the National Capital Planning
Commission (NCPC) shall follow to implement a privacy program as
required by the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act or Act)
and the privacy provisions of the E-Government Act of 2002 (44 U.S.C.
ch. 36) (E-Government Act). These rules should be read together with
the Privacy Act and the
[[Page 44047]]
privacy related provisions of the E-Government Act, which provide
additional information respectively about Records maintained on
individuals and protections for the privacy of personal information as
agencies implement citizen-centered electronic Government.
(b) Consistent with the requirements of the Privacy Act, the rules
in this part apply to all Records maintained by NCPC in a System of
Records; the responsibilities of the NCPC to safeguard this
information; the procedures by which Individuals may request
notification of the existence of a record, request access to Records
about themselves, request an amendment to or correction of those
Records, and request an accounting of disclosures of those Records by
the NCPC; and the procedures by which an Individual may appeal an
Adverse Determination.
(c) Consistent with the privacy related requirements of the E-
Government Act, the rules in this part also address the conduct of a
privacy impact assessment prior to developing or procuring information
technology that collects, maintains, or disseminates information in an
identifiable form, initiating a new electronic collection of
information in identifiable form for 10 or more persons excluding
agencies, instrumentalities or employees of the federal government, or
changing an existing System that creates new privacy risks.
(d) In addition to the rules in this part, the NCPC shall process
all Privacy Act Requests for Access to Records in accordance with the
Freedom of Information Act (FOIA), 5 U.S.C. 552, and part 602 of this
chapter.
Sec. 603.2 Definitions.
For purposes of this part, the following definitions shall apply:
Adverse Determination shall mean a decision to withhold any
requested Record in whole or in part; a decision that the requested
Record does not exist or cannot be located; a decision that the
requested information is not a Record subject to the Privacy Act; a
decision that a Record, or part thereof, does not require amendment or
correction; a decision to refuse to disclose an accounting of
disclosure; and a decision to deny a fee waiver. The term shall also
encompass a challenge to NCPC's determination that Records have not
been described adequately, that there are no responsive Records or that
an adequate search has been conducted.
E-Government Act of 2002 shall mean Public Law 107-347, Dec. 17,
2002, 116 Stat. 2899, the privacy portions of which are set out as a
note under section 3501 of title 44.
Individual shall mean a citizen of the United States or an alien
lawfully admitted for permanent residence.
Information in Identifiable Form (IIF) shall mean information in an
Information Technology system or an online collection that directly
identifies an individual, e.g., name, address, social security number
or other identifying number or code, telephone number, email address
and the like; or information by which the NCPC intends to identify
specific individuals in conjunction with other data elements, e.g.,
indirect identification that may include a combination of gender, race,
birth date, geographic identifiers, and other descriptions.
Information Technology (IT) shall mean, as defined in the Clinger
Cohen Act (40 U.S.C. 11101(6)), any equipment, software or
interconnected system or subsystem that is used in the automatic
acquisition, storage, manipulation, management, movement, control,
display, switching, interchange, transmission or reception of data.
Maintain shall include maintain, collect, use or disseminate a
Record.
Privacy Act Officer shall mean the individual within the NCPC
charged with responsibility for coordinating and implementing NCPC's
Privacy Act program.
Privacy Act or Act shall mean the Privacy Act of 1974, as amended
and codified at 5 U.S.C. 552a.
Privacy Impact Assessment (PIA) shall mean an analysis of how
information is handled to ensure handling conforms to applicable legal,
regulatory, and policy requirements regarding privacy; to determine the
risks and effects of collecting, maintaining and disseminating
information in identifiable form in an electronic system; and to
examine and evaluate protections and alternative processes for handling
information to mitigate potential privacy risks.
Record shall mean any item, collection, or grouping of information
about an Individual that is Maintained by the NCPC, including, but not
limited to, an Individual's education, financial transactions, medical
history, and criminal or employment history and that contains a name,
or identifying number, symbol, or other identifying particular assigned
to the Individual, such as a finger or voice print or photograph.
Requester shall mean an Individual who makes a Request for Access
to a Record, a Request for Amendment or Correction of a Record, or a
Request for Accounting of a Record under the Privacy Act.
Request for Access to a Record shall mean a request by an
Individual made to the NCPC pursuant to subsection (d)(1) of the
Privacy Act to gain access to his/her Records or to any information
pertaining to him/her in the system and to permit him/her, or a person
of his/her choosing, to review and copy all or any portion thereof.
Request for Amendment or Correction of a Record shall mean a
request made by an Individual to the NCPC pursuant to subsection (d)(2)
of the Privacy Act to amend or correct a Record pertaining to him/her.
Routine Use shall mean with respect to disclosure of a Record, the
use of such Record for a purpose which is compatible with the purpose
for which the Record is collected.
Senior Agency Official for Privacy (SAOP) shall mean the individual
within NCPC responsible for establishing and overseeing the NCPC's
Privacy Act program.
System of Records or System (SOR or Systems) shall mean a group of
any Records under the control of the NCPC from which information is
retrieved by the name of the individual or by some identifying number,
symbol, or other identifying particular assigned to the individual.
System of Record Notice (SORN) shall mean a notice published in the
Federal Register by the NCPC for each new or revised System of Records
intended to solicit public comment on the System prior to
implementation.
Workday shall mean a regular Federal workday excluding Saturday,
Sunday and legal Federal holidays when the federal government is
closed.
Sec. 603.3 Privacy Act program responsibilities.
(a) The NCPC shall designate a Senior Agency Official for Privacy
(SAOP) to establish and oversee the NCPC's Privacy Act Program and
ensure compliance with privacy laws, regulations and the NCPC's privacy
policies. Specific responsibilities of the SAOP shall include:
(1) Reporting to the Office of Management and Budget (OMB) and
Congress on the establishment of or revision to Privacy Act Systems;
(2) Reporting periodically to OMB on Privacy Act activities as
required by law and OMB;
(3) Signing Privacy Act SORNS for publication in the Federal
Register;
(4) Approving and signing PIAs; and
(5) Serving as head of the agency response team when responding to
a large-scale information breach.
(b) The NCPC shall designate a Privacy Act Officer (PAO) to
coordinate
[[Page 44048]]
and implement the NCPC's Privacy Act program. Specific responsibilities
of the PAO shall include:
(1) Developing, issuing and updating, as necessary, the NCPC's
Privacy Act policies, standards, and procedures;
(2) Maintaining Privacy Act program Records and documentation;
(3) Responding to Privacy Act Requests for Records and coordinating
appeals of Adverse Determinations for Requests for access to Records,
Requests for Amendment or Correction of Records, and Requests for
accounting for disclosures;
(4) Informing Individuals of information disclosures;
(5) Working with the NCPC's Division Directors or designated staff
to develop an appropriate form for collection of Privacy Act
information and including in the form a Privacy Act statement
explaining the purpose for collecting the information, how it will be
used, the authority for such collection, its routine uses, and the
effect upon the Individual of not providing the requested information;
(6) Assisting in the development of new or revised SORNs;
(7) Developing SORN reports for OMB and Congress;
(8) Submitting new or revised SORNS to the Federal Register for
publication;
(9) Assisting in the development of computer matching systems;
(10) Preparing Privacy Act, Computer Matching, and other reports to
OMB as required; and
(11) Evaluating PIA to ensure compliance with E-Government Act
requirements.
(c) Other Privacy related responsibilities shall be shared by the
NCPC Division Directors, the NCPC Chief Information Officer (CIO), the
NCPC System Developers and Designers, the NCPC Configuration Control
Board, the NCPC employees, and the Chairman of the Commission.
(1) The NCPC Division Directors shall be responsible for
coordinating with the PAO the implementation of the requirements set
forth in this part for Systems of Records applicable to their area of
management and the preparation of PIA prior to development or
procurement of new systems that collect, maintain or disseminate IIF.
Specific responsibilities include:
(i) Reviewing existing SOR for need, relevance, and purpose for
existence, and proposing SOR changes to the PAO as necessary in
response to altered circumstances;
(ii) Reviewing existing SOR to ensure information is accurate,
complete and up to date;
(iii) Coordinating with the PAO the preparation of new or revised
SORN;
(iv) Coordinating with the PAO the development of an appropriate
form for collection of Privacy Act information and including in the
form a Privacy Act statement explaining the purpose for collecting the
information, how it will be used, the authority for such collection,
its routine uses, and the effect upon the Individual of not providing
the requested information;
(v) Collecting information directly from individuals whenever
possible;
(vii) Assisting the PAO with providing access to Individuals who
request information in accordance with the procedures established in
Sec. Sec. 603.12, 603.13, 603.14 and 603.15.
(vii) Amending Records if and when appropriate, and working with
the PAO to inform recipients of former Records of such amendments;
(viii) Ensuring that System information is used only for its stated
purpose;
(ix) Establishing and overseeing appropriate administrative,
technical, and physical safeguards to ensure security and
confidentiality of Records; and
(x) Working with the SAOP, the PAO and Configuration Control Board
(CCB) on SORs, preparing a PIA, if needed, and obtaining SAOP approval
for a PIA prior to its publication on the NCPC Web site.
(2) The CIO shall be responsible for implementing IT security
management to include security for information protected by the Privacy
Act and the E-Government Act of 2002. Specific responsibilities
include:
(i) Overseeing security policy for privacy data; and
(ii) Reviewing PIAs prepared for information security
considerations.
(3) The NCPC System Developers and Designers shall be responsible
for ensuring that the IT system design and specifications conform to
privacy standards and requirements and that technical controls are in
place for safeguarding personal information from unauthorized access.
(4) The NCPC CCB shall, among other responsibilities, verify that a
PIA has been prepared prior to approving a request to develop or
procure information technology that collects, maintains, or
disseminates Information in Identifiable Form.
(5) The NCPC employees shall ensure that any personal information
they use in the conduct of their official responsibilities is protected
in accordance with the rules set forth in this part.
(6) The Chairman of the Commission shall be responsible for acting
on all appeals of Adverse Determinations.
Sec. 603.4 Standards used to Maintain Records.
(a) Records Maintained by the NCPC shall contain only such
information about an Individual as is relevant and necessary to
accomplish a purpose NCPC must accomplish to comply with relevant
statutes or Executive Orders of the President.
(b) Records Maintained by the NCPC and used to make a determination
about an Individual shall be accurate, relevant, timely, and complete
to assure a fair determination.
(c) Information used by the NCPC in making a determination about an
Individual's rights, benefits, and privileges under federal programs
shall be collected, to the greatest extent practicable, directly from
the Individual. In deciding whether collection of information about an
Individual, as opposed to a third party is practicable, the NCPC shall
consider the following:
(1) Whether the information sought can only be obtained from a
third party;
(2) Whether the cost to collect the information from an Individual
is unreasonable compared to the cost of collecting the information from
a third party;
(3) Whether there is a risk of collecting inaccurate information
from a third party that could result in a determination adverse to the
Individual concerned;
(4) Whether the information collected from an Individual requires
verification by a third party; and
(5) Whether the Individual can verify information collected from
third parties.
(d) The NCPC shall not Maintain Records describing how an
Individual exercises rights guaranteed by the First Amendment to the
Constitution unless the maintenance of the Record is expressly
authorized by statute or by the Individual about whom the Record is
Maintained or pertinent to and within the scope of an authorized law
enforcement activity.
Sec. 603.5 Notice to Individuals supplying information.
(a) Each Individual asked to supply information about himself/
herself to be added to a System of Records shall be informed by the
NCPC of the basis for requesting the information, its potential use,
and the consequences, if any, of not supplying the information. Notice
to the Individual shall state at a minimum:
(1) The legal authority for NCPC's solicitation of the information
and whether disclosure is mandatory or voluntary;
(2) The principal purpose(s) for which the NCPC intends to use the
information;
[[Page 44049]]
(3) The potential routine uses of the information by the NCPC as
published in a Systems of Records Notice; and
(4) The effects upon the individual, if any, of not providing all
or any part of the requested Information to the NCPC.
(b) When NCPC collects information on a standard form, the notice
to the Individual shall either be provided on the form, on a tear off
sheet attached to the form, or on a separate form, whichever is deemed
the most practical by the NCPC.
(c) NCPC may ask an Individual to acknowledge, in writing, receipt
of the notice required by this section.
Sec. 603.6 System of Records Notice or SORN.
(a) The NCPC shall publish a notice in the Federal Register
describing each System of Records 40-days prior to the establishment of
a new or revision to an existing System of Records.
(b) The SORN shall include:
(1) The name and location of the System of Records. The name shall
identify the general purpose, and the location shall include whether
the system is located on the NCPC's main server or central files. The
physical address of either shall also be included.
(2) The categories or types of Individuals on whom NCPC Maintains
Records in the System of Records;
(3) The categories or types of Records in the System;
(4) The statutory or Executive Order authority for Maintenance of
the System;
(5) The purpose(s) or explanation of why the NCPC collects the
particular Records including identification of all internal and routine
uses;
(6) The policies and practices of the NCPC regarding storage,
retrieval, access controls, retention and disposal of Records;
(7) The title and business address of the agency official
responsible for the identified System of Records;
(8) The NCPC procedures for notification to an Individual who
requests if a System of Records contains a Record about the Individual;
and
(9) The NCPC sources of Records in the System.
Sec. 603.7 Procedures to safeguard Records.
(a) The NCPC shall implement the procedures set forth in this
section to insure sufficient administrative, technical and physical
safeguards exist to protect the security and confidentiality of
Records. The enumerated procedures shall also protect against any
anticipated threats or hazards to the security of Records with the
potential to cause substantial harm, embarrassment, inconvenience, or
unfairness to any Individual on whom information is Maintained.
(b) Manual Records subject to the Privacy Act shall be maintained
by the NCPC in a manner commensurate with the sensitivity of the
information contained in the Records. The following minimum safeguards
or safeguards affording comparable protection shall apply to manual
Systems of Records:
(1) The NCPC shall post areas where Records are maintained or
regularly used with an appropriate warning sign stating access to the
Records shall be limited to authorized persons. The warning shall also
advise that the Privacy Act prescribes criminal penalties for
unauthorized disclosure of Records subject to the Act.
(2) During work hours, the NCPC shall protect areas in which
Records are Maintained or regularly used by restricting occupancy of
the area to authorized persons or storing the Records in a locked
container and room.
(3) During non-working hours, access to Records shall be restricted
by their storage in a locked storage container and room.
(4) Any lock used to secure a room where Records are stored shall
not be capable of being disengaged with a master key that opens rooms
other than those in which Records are stored.
(c) Computerized Records subject to the Privacy Act shall be
maintained, at a minimum, subject to the safeguards recommended by the
National Institute of Standards and Technology (NIST) Special
Publications 800-53, Recommended Security Controls for Federal
Information Systems and Organizations as revised from time to time or
any superseding guidance offered by NIST or other federal agency
charged with the responsibility for providing recommended safeguards
for computerized Records subject to the Privacy Act.
(d) NCPC shall maintain a System of Records comprised of Office of
Personnel Management (OPM) personnel Records in accordance with
standards prescribed by OPM and published at 5 CFR 293.106-293.107.
Sec. 603.8 Employee conduct.
(a) Employees with duties requiring access to and handling of
Records shall, at all times, take care to protect the integrity,
security, and confidentiality of the Records.
(b) No employee of the NCPC shall disclose Records unless
disclosure is permitted by Sec. 603.10(b), by part 602 of this
chapter, or disclosed to the Individual to whom the Record pertains.
(c) No employee of the NCPC shall alter or destroy a Record unless
such Record or destruction is undertaken in the course of the
employee's regular duties or such alteration or destruction is allowed
pursuant to regulations published by the National Archives and Records
Administration (NARA) or required by a court of competent jurisdiction.
Records shall not be destroyed or disposed of while they are the
subject of a pending request, appeal or lawsuit under the Privacy Act.
Sec. 603.9 Government contracts.
(a) When a contract provides for third party operation of a SOR on
behalf of the NCPC to accomplish a NCPC function, the contract shall
require that the requirements of the Privacy Act and the rules in this
part be applied to such System.
(b) The Division Director responsible for the contract shall
designate a NCPC employee to oversee and manage the SOR operated by the
contractor.
Sec. 603.10 Conditions for disclosure.
(a) Except as set forth in paragraph (b) of this section, no Record
contained in a SOR shall be disclosed by any means of communication to
any person, or to another agency, unless prior written consent is
obtained from the Individual to whom the Record pertains.
(b) The limitations on disclosure contained in paragraph (a) of
this section shall not apply when disclosure of a Record is:
(1) To employees of the NCPC for use in the performance of their
duties;
(2) Required by the Freedom of Information Act (FOIA), 5 U.S.C.
555;
(3) For a Routine Use as described in a SORN;
(4) To the Bureau of Census for statistical purposes, provided that
the Record must be transferred in a form that precludes individual
identification;
(5) To an Individual who provides NCPC adequate written assurance
that the Record shall be used solely for statistical or research
purposes, provided that the Record must be transferred in a form that
precludes Individual identification;
(6) To the NARA because the Record warrants permanent retention
because of historical or other national value as determined by NARA or
to permit NARA to determine whether the Record has such value;
(7) To a law enforcement agency for a civil or criminal law
enforcement activity, provided that the law enforcement agency must
submit a written request to the NCPC specifying the Record(s) sought
and the purpose for which they will be used;
[[Page 44050]]
(8) To any person upon demonstration of compelling information that
an Individual's health or safety is at stake and provided that upon
disclosure, notification is given to the Individual to whom the Record
pertains at that Individual's last known address;
(9) To either House of Congress, and any committee or subcommittee
thereof, to include joint committees of both houses and any
subcommittees thereof, when a Record falls within their jurisdiction;
(10) To the Comptroller General, or any of his authorized
representatives, to allow the Government Accountability Office to
perform its duties;
(11) Pursuant to a court order by a court of competent
jurisdiction; and
(12) To a consumer reporting agency trying to collect a claim of
the government as authorized by 31 U.S.C. 3711(e).
Sec. 603.11 Accounting of disclosures.
(a) Except for disclosures made under Sec. Sec. 603.10(b)(1)-(2),
when a Record is disclosed to any person, or to another agency, NCPC
shall prepare an accounting of the disclosure. The accounting shall
Record the date, nature, and purpose of the disclosure and the name and
address of the person or agency to whom the disclosure was made. The
NCPC shall maintain all accountings for a minimum of five years or the
life of the Record, whichever is greatest, after the disclosure is
made.
(b) Except for disclosures under Sec. 603.10(b)(7), accountings of
all disclosures shall be made available to the Individual about whom
the disclosed Records pertains at his/her request. Such request shall
be made in accordance with the requirements of Sec. 603.15.
(c) For any disclosure for which an accounting is made, if a
subsequent amendment or correction or notation of dispute is made to a
Record by the NCPC in accordance with the requirements of Sec. 603.14,
the Individual and/or agency to whom the Record was originally
disclosed shall be informed.
Sec. 603.12 Requests for notification of the existence of Records.
(a) An Individual seeking to determine whether a System of Records
contains Records pertaining to him/her shall do so by appearing in
person at NCPC's official place of business or by written
correspondence to the NCPC PAO. In-person requests shall be by
appointment only with the PAO on a Workday during regular office hours.
Written requests sent via the U.S. mail shall be directed to the
Privacy Act Officer at NCPC's official address listed at www.ncpc.gov.
If sent via email or facsimile, the request shall be directed to the
email address or facsimile number indicated on the NCPC Web site. To
expedite internal handling of Privacy Act Requests, the words Privacy
Act Request shall appear prominently on the envelop or the subject line
of an email or facsimile cover sheet.
(b) The Request shall state that the Individual is seeking
information concerning the existence of Records about himself/herself
and shall supply information describing the System where such Records
might be maintained as set forth in a System of Record Notice.
(c) The NCPC PAO shall notify the Requester in writing within 20
Workdays of the Request whether a System contains Records pertaining to
him/her unless the Records were compiled in reasonable anticipation of
a civil action or proceeding or the Records are NCPC employee Records
under the jurisdiction of the OPM. In both of the later cases the
Request shall be denied. If the Request is denied because the Record(s)
is/are under the jurisdiction of the OPM, the response shall advise the
Requester to contact OPM. If the PAO denies the Request, the response
shall state the reason for the denial and advise the Requester of the
right to appeal the decision within 60 days of the date of the letter
denying the request in accordance with the requirements set forth in
Sec. 603.16.
Sec. 603.13 Requests for access to Records.
(a) An Individual seeking access to Records about himself/herself
shall do so by appearing in person at NCPC's official place of business
or by written correspondence to the NCPC Privacy Act Officer. In-person
requests shall be by appointment only with the Privacy Act Officer on a
Workday during regular office hours. For written requests sent via the
U.S. mail, the Request shall be directed to the Privacy Act Officer at
NCPC's official address listed at www.ncpc.gov. If sent via email or
facsimile, the request shall be directed to the email address or
facsimile number indicated on the NCPC Web site. To expedite internal
handling of Privacy Act Requests, the words Privacy Act Request shall
appear prominently on the envelop or the subject line of an email or
facsimile cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant to the Privacy Act;
(2) Describe the requested Records in sufficient detail to enable
their location including, without limitation, the dates the Records
were compiled and the name or identifying number of each System of
Record in which they are kept as identified in the list of NCPC's SORNs
published on its Web site; and
(3) State pursuant to the fee schedule in set forth in Sec. 603.17
a willingness to pay all fees associated with the Privacy Act Request
or the maximum fee the Requester is willing to pay.
(c) The NCPC shall require identification as follows before
releasing Records to an Individual:
(1) An Individual Requesting Privacy Act Records in person shall
present a valid, photographic form of identification such as a driver's
license, employee identification card, or passport that renders it
possible for the PAO to verify that the Individual is the same
Individual as contained in the requested Records.
(2) An Individual Requesting Privacy Act Records by mail shall
state their full name, address and date of birth in their
correspondence. The Request must be signed and the signature must
either be notarized or submitted with a statement signed and dated as
follows: I declare under penalty of perjury that the foregoing facts
establishing my identification are true and correct.
(d) The PAO shall determine within 20 Workdays whether to grant or
deny an Individual's Request for Access to the requested Record(s) and
notify the Individual in writing accordingly. The PAO's response shall
state his/her determination and the reasons therefor. If the Request is
denied because the Record(s) is/are under the jurisdiction of the OPM,
the response shall advise the Requester to contact OPM. In the case of
an Adverse Determination, the written notification shall advise the
Individual of his/her right to appeal the Adverse Determination in
accordance with the requirements of Sec. 603.16.
Sec. 603.14 Requests for Amendment or Correction of Records.
(a) An Individual seeking to amend or correct a Record pertaining
to him/her that he/she believes to be inaccurate, irrelevant, untimely
or incomplete shall submit a written request to the PAO at the address
listed on NCPC's official Web site www.ncpc.gov. If sent via email or
facsimile, the Request shall be directed to the email address or
facsimile number indicated on the NCPC Web site. To expedite internal
handling, the words Privacy Act Request shall appear prominently on the
envelop or the subject line of an email or facsimile cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant to the Privacy Act;
(2) Describe the requested Record in sufficient detail to enable
its location
[[Page 44051]]
including, without limitation, the dates the Records was compiled and
the name or identifying number of the System of Record in which the
Record is kept as identified in the list of NCPC's SORNs published on
its Web site;
(3) State in detail the reasons why the Record, or objectionable
portion(s) thereof, is/are not accurate, relevant, timely or complete.
(4) Include copies of documents or evidence relied upon in support
of the Request for Amendment or Correction; and
(5) State specifically, and in detail, the changes sought to the
Record, and if the changes include rewriting the Record, or portions
thereof, or adding new language, the Individual shall propose specific
language to implement the requested changes.
(c) A request to Amend or Correct a Record shall be submitted only
if the Requester has previously requested and been granted access to
the Record and has inspected or been given a copy of the Record.
(d) The PAO shall render a decision within 20 Workdays. If the
Request for an Amendment or Correction fails to meet the requirements
of paragraphs (b)(1)-(5) of this section, the PAO shall advise the
Individual of the deficiency and advise what additional information is
required to act upon the Request. The timeframe for a decision on the
Request shall be tolled (stopped) during the pendency of a request for
additional information and shall resume when the additional information
is received. If the Requester fails to submit the requested additional
information within a reasonable time, the PAO shall reject the Request.
(e) The PAO's decision on a Request for Amendment or Correction
shall be in writing and state the basis for the decision. If the
Request is denied because the Record(s) is/are under the jurisdiction
of the OPM, the response shall advise the Requester to contact OPM. In
the event of an Adverse Determination, the written notification shall
advise the Individual of his/her right to appeal the Adverse
Determination in accordance with the requirements of Sec. 603.16.
(f) If the PAO approves the Request for Amendment or Correction,
the PAO shall ensure that subject Record is amended or corrected, in
whole or in part. If the PAO denies the Request for Amendment or
Correction, a notation of dispute shall be noted on the Record. If an
accounting of disclosure has been made pursuant to Sec. 603.11, the
PAO shall advise all previous recipients of the Record that an
amendment or correction or notation of dispute has been made and, if
applicable, the substance of the change.
Sec. 603.15 Requests for Accounting of Record disclosures.
(a) An Individual seeking information regarding an accounting of
disclosure of a Record pertaining to him/her made in accordance with
Sec. 603.11 shall submit a written request to the PAO at the address
listed on NCPC's official Web site www.ncpc.gov. If sent via email or
facsimile, the Request shall be directed to the email address or
facsimile number indicated on the NCPC Web site. To expedite internal
handling, the words Privacy Act Request shall appear prominently on the
envelop or the subject line of an email or facsimile cover sheet.
(b) The Request shall:
(1) State the Request is made pursuant to the Privacy Act; and
(2) Describe the requested Record in sufficient detail to determine
whether it is or is not contained in an accounting of disclosure.
(c) The NCPC PAO shall notify the Requester in writing within 20
Workdays of the Request and advise if the Record was included in an
accounting of disclosure. In the event of a disclosure, the response
shall include the date, nature, and purpose of the disclosure and the
name and address of the person or agency to whom the disclosure was
made. If the Request is denied because the Record(s) is/are under the
jurisdiction of the OPM, the response shall advise the Requester to
contact OPM. In the event of an Adverse Determination, the written
notification shall advise the Individual of his/her right to appeal the
Adverse Determination in accordance with the requirements of Sec.
603.16.
Sec. 603.16 Appeals of Adverse Determinations.
(a) Except for appeals pursuant to paragraph (d) of this section,
an appeal of an Adverse Determination shall be made in writing
addressed to the Chairman (Chairman) of the National Capital Planning
Commission at the address listed on NCPC's official Web site
www.ncpc.gov. If sent via email or facsimile, the Request shall be
directed to the email address or facsimile number indicated on the NCPC
Web site. To expedite internal handling, the words Privacy Act Request
shall appear prominently on the envelop or the subject line of an email
or facsimile cover sheet. An appeal of an Adverse Determination shall
be made within 30 Workdays of the date of the decision.
(b) An appeal of an Adverse Determination shall include a statement
of the legal, factual or other basis for the Requester's objection to
an Adverse Determination; a daytime phone number or email where the
Requester can be reached if the Chairman requires additional
information or clarification regarding the appeal; copies of the
initial request and the PAO's written response; and for an Adverse
Determination regarding a fee waiver, a demonstration of compliance
with part 602 of this chapter.
(c) The Chairman shall respond to an appeal of an Adverse
Determination in writing within 20 Workdays of receipt of the appeal.
If the Chairman grants the appeal, the Chairman shall notify the
Requester, and the NCPC shall take prompt action to respond
affirmatively to the original Request upon receipt of any fees that may
be required. If the Chairman denies the appeal, the letter shall state
the reason(s) for the denial, a statement that the decision is final,
and advise the Requester of the right to seek judicial review of the
denial in the District Court of the United States in either the
district in which the Requester resides, the district in which the
Requester has his/her principal place of business or the District of
Columbia.
(d) The appeal of an Adverse Determination based on OPM
jurisdiction of the Records shall be made to OPM pursuant to 5 CFR
297.306.
(e) The NCPC shall not act on an appeal of an Adverse Determination
if the underlying Request becomes the subject of litigation.
(f) A party seeking court review of an Adverse Determination must
first appeal the Adverse Determination under this section.
Sec. 603.17 Fees.
(a) The NCPC shall charge for the duplication of Records under this
subpart in accordance with the schedule of fees set forth in part 602
of this chapter. The NCPC shall not charge duplication fees when the
Requester asks to inspect the Records personally but is provided copies
at the discretion of the agency.
(b) The NCPC shall not charge any fees for the search for or review
of Records requested by an Individual.
Sec. 603.18 Privacy Impact Assessments.
(a) Consistent with the requirements of the E-Government Act and
OMB Memorandum M-03-22, the NCPC shall conduct a PIA before:
(1) Developing or procuring IT systems or projects that collect,
maintain, or disseminate IIF; or
[[Page 44052]]
(2) Installing a new collection of information that will be
collected, maintained, or disseminated using IT and includes IIF for 10
or more persons (excluding agencies, instrumentalities or employees of
the federal government).
(b) The PIA shall be prepared through the coordinated effort of the
NCPC's privacy Officers (SAOP, PAO), Division Directors, CIO, and IT
staff.
(c) As a general rule, the level of detail and content of a PIA
shall be commensurate with the nature of the information to be
collected and the size and complexity of the IT system involved.
Specifically, a PIA shall analyze and describe:
(1) The information to be collected;
(2) The reason the information is being collected;
(3) The intended use for the information;
(4) The identity of those with whom the information will be shared;
(5) The opportunities Individuals have to decline to provide the
information or to consent to particular uses and how to consent;
(6) The manner in which the information will be secured; and
(7) The extent to which the system of records is being created
under the Privacy Act.
(d) In addition to the information specified in paragraphs (b)(1)-
(7) of this section, the PIA must also identify the choices NCPC made
regarding an IT system or collection of information as result of
preparing the PIA.
(e) The CCB shall verify that a PIA has been prepared prior to
approving a request to develop or procure information technology that
collects, maintains, or disseminates Information in Identifiable Form.
(f) The SAOP shall approve and sign the NCPC's PIA. If the SAOP is
the Contracting Officer for the IT system that necessitated preparation
of the PIA, the Executive Director shall approve and sign the PIA.
(g) Following approval of the PIA, the NCPC shall post the PIA
document on the NCPC Web site located at www.ncpc.gov.
Dated: September 14, 2017.
Anne R. Schuyler,
General Counsel.
[FR Doc. 2017-19996 Filed 9-19-17; 8:45 am]
BILLING CODE 7520-01-P