Privacy Act Implementation Rules, 48900-48901 [2021-18589]

Download as PDF 48900 Federal Register / Vol. 86, No. 167 / Wednesday, September 1, 2021 / Rules and Regulations Donation Program may not sell the donated dairy products back into commercial markets. (b) Prohibition on marketing or promotional event. Dairy products donated in conjunction with a marketing or promotional event are prohibited from reimbursement. (c) Prohibition on profit-making. An eligible dairy organization cannot make a profit from reimbursements received from the Dairy Donation Program. (d) Prohibition on future participation. An eligible partnership that AMS determines has violated the prohibition in paragraph (a), (b), or (c) shall not be eligible for any future participation in the Dairy Donation Program. § 1147.206 Confidentiality. AMS will only collect information deemed necessary to administer the Dairy Donation Program and will use the information only for that purpose. AMS will keep all proprietary business information collected under the program confidential. § 1147.209 Books and records. khammond on DSKJM1Z7X2PROD with RULES Each eligible dairy organization shall maintain and retain records of its operations and make such records and its facilities available to AMS as necessary to ensure the integrity of the Dairy Donation Program. (a) Records to be maintained and made available. Each eligible dairy organization must maintain and make available records of its operations (including, but not limited to, records of donations, processing, packaging, and disposition of donated eligible dairy products) that are necessary to verify whether it met program requirements. (b) Retention of records. All records required under the paragraph (a) shall be retained by the eligible dairy organization for a period of 3 years to begin at the end of the month to which such records pertain. § 1147.210 Milk for other programs. Eligible dairy products sold or donated under other commodity or food assistance programs administered by the United States Department of Agriculture, except as pursuant to 7 CFR 1146, is not eligible for reimbursement VerDate Sep<11>2014 16:01 Aug 31, 2021 § 1147.212 Expiration of this part. This part expires September 1, 2023, unless extended by notification in the Federal Register. Erin Morris, Associate Administrator, Agricultural Marketing Service. [FR Doc. 2021–18606 Filed 8–31–21; 8:45 am] BILLING CODE P BUREAU OF CONSUMER FINANCIAL PROTECTION 12 CFR Part 1070 Privacy Act Implementation Rules Enforcement. Where applicable, AMS will verify an eligible dairy organization’s payment of the input cost. AMS will also conduct spot checks, reviews, and audits of the reports and documentation submitted pursuant to § 1147.106(a) to verify accuracy and to ensure the integrity of the Dairy Donation Program. § 1147.208 under the Dairy Donation Program in this part. Jkt 253001 Bureau of Consumer Financial Protection. ACTION: Final rule. AGENCY: The Bureau of Consumer Financial Protection (Bureau or CFPB) makes limited revisions to its regulations that establish the procedures used by the public to obtain records from the Bureau under the Privacy Act of 1974 (Privacy Act). The revisions will change the definition of ‘‘Chief Privacy Officer’’ in order to align the Chief Privacy Officer’s authorities and responsibilities identified in the regulation to those of the Bureau’s designated Senior Agency Official for Privacy. The revisions will also facilitate electronic or remote identity proofing and authentication by creating an additional method for a requester to verify their identity when submitting a Privacy Act request to the Bureau. DATES: This rule is effective September 1, 2021. FOR FURTHER INFORMATION CONTACT: David Snyder, Senior Counsel, Legal Division, 202–435–7758. If you require this document in an alternative electronic format, please contact CFPB_ Accessibility@cfpb.gov. SUPPLEMENTARY INFORMATION: SUMMARY: I. Background The Bureau first published its Privacy Act implementation rules, located in subpart E of part 1070, in an interim final rule in July 2011. See 76 FR 45371 (July 28, 2011). This was followed by a final rule in February 2013. See 78 FR 11483 (Feb. 15, 2013). The Bureau subsequently proposed revisions to its rules in a notice of proposed rulemaking in August 2016, followed by a final rule that adopted these revisions in September 2018. See 81 FR 58310 (Aug. 24, 2016); 83 FR 46075 (Sept. 12, 2018). PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 The Bureau now makes limited revisions to its Privacy Act implementation rules in order to (1) align the authorities and responsibilities of the ‘‘Chief Privacy Officer’’ identified in the rules with the authorities and responsibilities of the Bureau’s Senior Agency Official for Privacy; and (2) facilitate electronic or remote identity proofing and authentication in accordance with the Creating Advanced Streamlined Electronic Services for Constituents (CASES) Act of 2019, Public Law 116–50, 133 Stat. 1073 (2019), and the Office of Management and Budget’s implementing guidance, M–21–04, ‘‘Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act’’ (Nov. 12, 2020). II. Summary of the Rule The Bureau makes two revisions to subpart E of part 1070, which establishes the Bureau’s rule implementing the Privacy Act. First, the Bureau revises the definition of ‘‘Chief Privacy Officer’’ to align the authorities and responsibilities in the regulation to those of its designated Senior Agency Official for Privacy. Second, to facilitate electronic or remote identity proofing and authentication, the Bureau adds an additional method for a requester to verify their identity when submitting a Privacy Act request to the Bureau. III. Legal Authority The Bureau is issuing this rule pursuant to its authority under title X of the Dodd-Frank Act, 12 U.S.C. 5481 et seq., and the Privacy Act of 1974, 5 U.S.C. 552a. IV. Section-by-Section Analysis of the Proposed Rule Part 1070—Disclosure of Records and Information Subpart E—The Privacy Act Section 1070.50 Purpose and Scope; Definitions Subparagraph 1070.50(b)(1) defines the term ‘‘Chief Privacy Officer,’’ whose authorities and responsibilities are established in subpart E. The Bureau revises the definition to mean ‘‘the Senior Agency Official for Privacy of the CFPB or any CFPB employee to whom the Senior Agency Official for Privacy has delegated authority to act under this part.’’ The Bureau originally defined the term to mean ‘‘the Chief Information Officer of the CFPB’’ or their delegee in order to reflect the agency’s earlier organizational structure, in which the Bureau’s Chief Information Officer oversaw its Privacy Program. The E:\FR\FM\01SER1.SGM 01SER1 Federal Register / Vol. 86, No. 167 / Wednesday, September 1, 2021 / Rules and Regulations Bureau has since reorganized its Operations Division and located its Privacy Program under the oversight of its Chief Data Officer. The Chief Data Officer has been designated the Bureau’s Senior Agency Official for Privacy in accordance with Office of Management and Budget, M–16–24, ‘‘Role and Designation of Senior Agency Officials for Privacy’’ (Sept. 15, 2016). The Bureau revises the definition to reflect its reorganization and align the privacy-related authorities and responsibilities assigned to the Chief Privacy Officer in subpart E with the authorities and responsibilities of its Senior Agency Official for Privacy. The Bureau defines the term to mean ‘‘Senior Agency Official for Privacy’’ instead of ‘‘Chief Data Officer’’ (currently the same Bureau official) to ensure that subpart E remains aligned with the Bureau Privacy Program’s structure in the event of any future reorganizations or re-designations of the Senior Agency Official for Privacy. Section 1070.53 Records Request for Access to khammond on DSKJM1Z7X2PROD with RULES Section 1070.53(c) Identity Verification of 16:01 Aug 31, 2021 Jkt 253001 Privacy of the CFPB or any CFPB employee to whom the Senior Agency Official for Privacy has delegated authority to act under this part; * * * * * 3. Revise § 1070.53(c) to read as follows: ■ § 1070.53 Request for access to records. V. Procedural Requirements * No notice of proposed rulemaking is required under the Administrative Procedure Act (APA) because this rule relates solely to agency procedure and practice. 5 U.S.C. 553(b). Because no notice of proposed rulemaking is required, the Regulatory Flexibility Act does not require an initial or final regulatory flexibility analysis. 5 U.S.C. 603, 604. Finally, the Bureau has determined that this rule does not impose any new recordkeeping, reporting, or third-party disclosure requirements on members of the public that would be collections of information requiring approval under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. (c) Verification of identity. To obtain access to the CFPB’s records pertaining to a requester, the requester shall provide proof to the CFPB of the requester’s identity as provided in paragraphs (c)(1) and (2) of this section. VI. Signing Authority Section 1070.53(c) requires that members of the public provide proof of their identity in order to obtain access to Bureau records pursuant to the Privacy Act. Paragraph 1070.53(c)(1), in turn, provides three methods that will be considered adequate proof of a requester’s identity. The Bureau adds an additional method of identity verification, permitting verification via successful completion of a third-party’s identity verification process, designated by the Bureau, where that process meets the requirements of Identity Assurance Level 2 (IAL2) as described by the National Institute of Standards and Technology. The Bureau makes this revision in order to facilitate electronic or remote identity proofing and authentication in accordance with the CASES Act of 2019, Public Law 116–50, 133 Stat. 1073 (2019), and the Office of Management and Budget’s implementing guidance, M–21–04, ‘‘Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act’’ (Nov. 12, 2020). The Bureau intends to use a third-party identify verification process, available via login.gov, to facilitate electronic identity verification; successful completion of that process will be sufficient for verifying a requester’s identity pursuant to paragraph 1070.53(c)(1). The Bureau proposes to use generic language in the VerDate Sep<11>2014 regulation’s description of this process in order to retain flexibility to use other identity-verification products in the future as needed. Only a third-party identity verification process that is designated by the Bureau will be deemed a sufficient method of identity verification for purposes of paragraph 1070.53(c)(1). 48901 The Acting Director of the Bureau, David Uejio, having reviewed and approved this document, is delegating the authority to electronically sign this document to Laura Galban, a Bureau Federal Register Liaison, for purposes of publication in the Federal Register. List of Subjects in 12 CFR Part 1070 Confidential business information; Consumer protection; Freedom of information; Privacy. Authority and Issuance For the reasons set forth in the preamble, the Bureau amends 12 CFR part 1070 to read as follows: PART 1070—DISCLOSURE OF RECORDS AND INFORMATION 1. The authority citation continues to read as follows: ■ Authority: 12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 31; 44 U.S.C. ch. 35; 12 U.S.C. 3401 et seq. Subpart E—Privacy Act 2. Revise § 1070.50(b)(1) to read as follows: ■ § 1070.50 Purpose and scope; definitions. * * * * * (b) * * * (1) The term Chief Privacy Officer means the Senior Agency Official for PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 * * * * (1) In general, the following will be considered adequate proof of a requester’s identity: (i) A photocopy of two forms of identification, including one form of identification that bears the requester’s photograph, and one form of identification that bears the requester’s signature; (ii) A photocopy of a single form of identification that bears both the requester’s photograph and signature; (iii) A statement swearing or affirming the requester’s identity and to the fact that the requester understands the penalties provided in 5 U.S.C. 552a(i)(3); or (iv) Successful completion of a thirdparty’s identity verification process, designated by the Bureau, where that process meets the requirements of Identity Assurance Level 2 (IAL2) as described by the National Institute of Standards and Technology. (2) Notwithstanding paragraph (c)(1) of this section, a designated official may require additional proof of the requester’s identity before action will be taken on any request, if such official determines that it is necessary to protect against unauthorized disclosure of information in a particular case. In addition, if a requester seeks records pertaining to an individual in the requester’s capacity as that individual’s guardian, the requester shall be required to provide adequate proof of the requester’s legal relationship before action will be taken on any request. * * * * * Dated: August 25, 2021. Laura Galban, Federal Register Liaison, Bureau of Consumer Financial Protection. [FR Doc. 2021–18589 Filed 8–31–21; 8:45 am] BILLING CODE 4810–AM–P E:\FR\FM\01SER1.SGM 01SER1

Agencies

BUREAU OF CONSUMER FINANCIAL PROTECTION

[Federal Register Volume 86, Number 167 (Wednesday, September 1, 2021)]
[Rules and Regulations]
[Pages 48900-48901]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18589]


=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1070


Privacy Act Implementation Rules

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau or CFPB) 
makes limited revisions to its regulations that establish the 
procedures used by the public to obtain records from the Bureau under 
the Privacy Act of 1974 (Privacy Act). The revisions will change the 
definition of ``Chief Privacy Officer'' in order to align the Chief 
Privacy Officer's authorities and responsibilities identified in the 
regulation to those of the Bureau's designated Senior Agency Official 
for Privacy. The revisions will also facilitate electronic or remote 
identity proofing and authentication by creating an additional method 
for a requester to verify their identity when submitting a Privacy Act 
request to the Bureau.

DATES: This rule is effective September 1, 2021.

FOR FURTHER INFORMATION CONTACT: David Snyder, Senior Counsel, Legal 
Division, 202-435-7758. If you require this document in an alternative 
electronic format, please contact [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    The Bureau first published its Privacy Act implementation rules, 
located in subpart E of part 1070, in an interim final rule in July 
2011. See 76 FR 45371 (July 28, 2011). This was followed by a final 
rule in February 2013. See 78 FR 11483 (Feb. 15, 2013). The Bureau 
subsequently proposed revisions to its rules in a notice of proposed 
rulemaking in August 2016, followed by a final rule that adopted these 
revisions in September 2018. See 81 FR 58310 (Aug. 24, 2016); 83 FR 
46075 (Sept. 12, 2018). The Bureau now makes limited revisions to its 
Privacy Act implementation rules in order to (1) align the authorities 
and responsibilities of the ``Chief Privacy Officer'' identified in the 
rules with the authorities and responsibilities of the Bureau's Senior 
Agency Official for Privacy; and (2) facilitate electronic or remote 
identity proofing and authentication in accordance with the Creating 
Advanced Streamlined Electronic Services for Constituents (CASES) Act 
of 2019, Public Law 116-50, 133 Stat. 1073 (2019), and the Office of 
Management and Budget's implementing guidance, M-21-04, ``Modernizing 
Access to and Consent for Disclosure of Records Subject to the Privacy 
Act'' (Nov. 12, 2020).

II. Summary of the Rule

    The Bureau makes two revisions to subpart E of part 1070, which 
establishes the Bureau's rule implementing the Privacy Act. First, the 
Bureau revises the definition of ``Chief Privacy Officer'' to align the 
authorities and responsibilities in the regulation to those of its 
designated Senior Agency Official for Privacy. Second, to facilitate 
electronic or remote identity proofing and authentication, the Bureau 
adds an additional method for a requester to verify their identity when 
submitting a Privacy Act request to the Bureau.

III. Legal Authority

    The Bureau is issuing this rule pursuant to its authority under 
title X of the Dodd-Frank Act, 12 U.S.C. 5481 et seq., and the Privacy 
Act of 1974, 5 U.S.C. 552a.

IV. Section-by-Section Analysis of the Proposed Rule

Part 1070--Disclosure of Records and Information

Subpart E--The Privacy Act

Section 1070.50 Purpose and Scope; Definitions
    Subparagraph 1070.50(b)(1) defines the term ``Chief Privacy 
Officer,'' whose authorities and responsibilities are established in 
subpart E. The Bureau revises the definition to mean ``the Senior 
Agency Official for Privacy of the CFPB or any CFPB employee to whom 
the Senior Agency Official for Privacy has delegated authority to act 
under this part.''
    The Bureau originally defined the term to mean ``the Chief 
Information Officer of the CFPB'' or their delegee in order to reflect 
the agency's earlier organizational structure, in which the Bureau's 
Chief Information Officer oversaw its Privacy Program. The

[[Page 48901]]

Bureau has since reorganized its Operations Division and located its 
Privacy Program under the oversight of its Chief Data Officer. The 
Chief Data Officer has been designated the Bureau's Senior Agency 
Official for Privacy in accordance with Office of Management and 
Budget, M-16-24, ``Role and Designation of Senior Agency Officials for 
Privacy'' (Sept. 15, 2016).
    The Bureau revises the definition to reflect its reorganization and 
align the privacy-related authorities and responsibilities assigned to 
the Chief Privacy Officer in subpart E with the authorities and 
responsibilities of its Senior Agency Official for Privacy. The Bureau 
defines the term to mean ``Senior Agency Official for Privacy'' instead 
of ``Chief Data Officer'' (currently the same Bureau official) to 
ensure that subpart E remains aligned with the Bureau Privacy Program's 
structure in the event of any future reorganizations or re-designations 
of the Senior Agency Official for Privacy.
Section 1070.53 Request for Access to Records
Section 1070.53(c) Verification of Identity
    Section 1070.53(c) requires that members of the public provide 
proof of their identity in order to obtain access to Bureau records 
pursuant to the Privacy Act. Paragraph 1070.53(c)(1), in turn, provides 
three methods that will be considered adequate proof of a requester's 
identity. The Bureau adds an additional method of identity 
verification, permitting verification via successful completion of a 
third-party's identity verification process, designated by the Bureau, 
where that process meets the requirements of Identity Assurance Level 2 
(IAL2) as described by the National Institute of Standards and 
Technology.
    The Bureau makes this revision in order to facilitate electronic or 
remote identity proofing and authentication in accordance with the 
CASES Act of 2019, Public Law 116-50, 133 Stat. 1073 (2019), and the 
Office of Management and Budget's implementing guidance, M-21-04, 
``Modernizing Access to and Consent for Disclosure of Records Subject 
to the Privacy Act'' (Nov. 12, 2020). The Bureau intends to use a 
third-party identify verification process, available via login.gov, to 
facilitate electronic identity verification; successful completion of 
that process will be sufficient for verifying a requester's identity 
pursuant to paragraph 1070.53(c)(1). The Bureau proposes to use generic 
language in the regulation's description of this process in order to 
retain flexibility to use other identity-verification products in the 
future as needed. Only a third-party identity verification process that 
is designated by the Bureau will be deemed a sufficient method of 
identity verification for purposes of paragraph 1070.53(c)(1).

V. Procedural Requirements

    No notice of proposed rulemaking is required under the 
Administrative Procedure Act (APA) because this rule relates solely to 
agency procedure and practice. 5 U.S.C. 553(b). Because no notice of 
proposed rulemaking is required, the Regulatory Flexibility Act does 
not require an initial or final regulatory flexibility analysis. 5 
U.S.C. 603, 604.
    Finally, the Bureau has determined that this rule does not impose 
any new recordkeeping, reporting, or third-party disclosure 
requirements on members of the public that would be collections of 
information requiring approval under the Paperwork Reduction Act, 44 
U.S.C. 3501 et seq.

VI. Signing Authority

    The Acting Director of the Bureau, David Uejio, having reviewed and 
approved this document, is delegating the authority to electronically 
sign this document to Laura Galban, a Bureau Federal Register Liaison, 
for purposes of publication in the Federal Register.

List of Subjects in 12 CFR Part 1070

    Confidential business information; Consumer protection; Freedom of 
information; Privacy.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends 12 CFR 
part 1070 to read as follows:

PART 1070--DISCLOSURE OF RECORDS AND INFORMATION

0
1. The authority citation continues to read as follows:

    Authority:  12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 
18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 31; 44 U.S.C. ch. 35; 
12 U.S.C. 3401 et seq.

Subpart E--Privacy Act

0
2. Revise Sec.  1070.50(b)(1) to read as follows:


Sec.  1070.50   Purpose and scope; definitions.

* * * * *
    (b) * * *
    (1) The term Chief Privacy Officer means the Senior Agency Official 
for Privacy of the CFPB or any CFPB employee to whom the Senior Agency 
Official for Privacy has delegated authority to act under this part;
* * * * *

0
3. Revise Sec.  1070.53(c) to read as follows:


Sec.  1070.53   Request for access to records.

* * * * *
    (c) Verification of identity. To obtain access to the CFPB's 
records pertaining to a requester, the requester shall provide proof to 
the CFPB of the requester's identity as provided in paragraphs (c)(1) 
and (2) of this section.
    (1) In general, the following will be considered adequate proof of 
a requester's identity:
    (i) A photocopy of two forms of identification, including one form 
of identification that bears the requester's photograph, and one form 
of identification that bears the requester's signature;
    (ii) A photocopy of a single form of identification that bears both 
the requester's photograph and signature;
    (iii) A statement swearing or affirming the requester's identity 
and to the fact that the requester understands the penalties provided 
in 5 U.S.C. 552a(i)(3); or
    (iv) Successful completion of a third-party's identity verification 
process, designated by the Bureau, where that process meets the 
requirements of Identity Assurance Level 2 (IAL2) as described by the 
National Institute of Standards and Technology.
    (2) Notwithstanding paragraph (c)(1) of this section, a designated 
official may require additional proof of the requester's identity 
before action will be taken on any request, if such official determines 
that it is necessary to protect against unauthorized disclosure of 
information in a particular case. In addition, if a requester seeks 
records pertaining to an individual in the requester's capacity as that 
individual's guardian, the requester shall be required to provide 
adequate proof of the requester's legal relationship before action will 
be taken on any request.
* * * * *

    Dated: August 25, 2021.
Laura Galban,
Federal Register Liaison, Bureau of Consumer Financial Protection.
[FR Doc. 2021-18589 Filed 8-31-21; 8:45 am]
BILLING CODE 4810-AM-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.