The Commission's Privacy Act Regulations, 10483-10490 [2023-03467]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 88, Number 34 (Tuesday, February 21, 2023)]
[Proposed Rules]
[Pages 10483-10490]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-03467]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 200

[Release No. 34-96906; PA-59; File No. S7-03-23]
RIN 3235-AN21


The Commission's Privacy Act Regulations

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'' or 
``SEC'') is proposing amendments to the Commission's regulations under 
the Privacy Act of 1974, as amended (``Privacy Act''). The proposed 
amendments would revise the Commission's regulations under the Privacy 
Act to clarify, update, and streamline the language of several 
procedural provisions.

DATES: Comments should be received by April 17, 2023.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/submitcomments.htm);
     Send an email to [email protected]. Please include 
File Number S7-03-23 on the subject line; or

Paper Comments

     Send paper comments to Vanessa A. Countryman, Secretary, 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549-1090.

All submissions should refer to File Number S7-03-23. This file number 
should be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method of submission. The Commission will post comments on 
the Commission's website (https://www.sec.gov/rules/proposed.shtml). 
Comments are also available for website viewing and printing in the 
Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549, on official business days between the hours of 10 a.m. and 3 
p.m. Operating conditions may limit access to the Commission's Public 
Reference Room. All comments received will be posted without change. 
Persons submitting comments are cautioned that we do not redact or edit 
personal identifying information from comment submissions. You should 
submit only information that you wish to make available publicly.
    Studies, memoranda, or other substantive items may be added by the 
Commission or staff to the comment file during this rulemaking. A 
notification of the inclusion in the comment file of any such materials 
will be made available on our website. To ensure direct electronic 
receipt of such notifications, sign up through the ``Stay Connected'' 
option at www.sec.gov to receive notifications by email.

FOR FURTHER INFORMATION CONTACT: Ray McInerney, FOIA/PA Officer, Office 
of FOIA Services, (202) 551-6249; Securities and Exchange Commission, 
100 F Street NE, Washington, DC 20549-5041.

SUPPLEMENTARY INFORMATION:

I. Background

    The Privacy Act is the principal law governing the handling of 
personal information in the Federal government. It governs the 
collection, maintenance, use, and dissemination of information about 
individuals that is maintained in systems of records by Federal 
agencies. The Privacy Act also affords individuals a right of access to 
records pertaining to them and a right to have inaccurate records 
corrected. The Commission last amended its Privacy Act regulations in 
2011.
    In the course of reviewing our regulations under the Privacy Act, 
we have identified areas where it would be beneficial to clarify, 
update, and streamline the language of several provisions. Accordingly, 
we are proposing revisions to our Privacy Act regulations. The proposed 
revisions include: adding a provision setting forth the process by 
which individuals may be provided with an accounting of disclosures 
made by the Commission; adding a provision to codify the existing 
practice of providing 90 days to file an administrative appeal in 
response to a denial of a Privacy Act inquiry or request; deleting 
certain existing provisions that are duplicative and unnecessary; 
reorganizing certain provisions; and updating the fee provisions.\1\ 
Due to the scope of the proposed revisions, the proposed rule would 
replace the Commission's current Privacy Act regulations in their 
entirety (17 CFR 200.301 through 200.313).
---------------------------------------------------------------------------

    \1\ The terms ``inquiry'' and ``request'' are defined in 5 
U.S.C. 552a.
---------------------------------------------------------------------------

II. Discussion of the Proposed Rule

A. Proposed Amendments To Update, Clarify, and Streamline the Privacy 
Act Regulations

    We are proposing to amend certain procedural provisions to clarify, 
update, and streamline the Commission's regulations.\2\ The proposed 
revisions, among other things: clarify the purpose and scope of the 
regulations (proposed Section 200.301); update definitions so that the 
processes set forth in the regulations are more plainly described 
(proposed 17 CFR 200.302); simplify the processes for submitting and 
receiving responses to Privacy Act inquiries, requests, and 
administrative appeals (proposed 17 CFR 200.303, 305, 306, 307, and 
308); allow for requesters to electronically verify their identities, 
including by facsimile, email, or an online Commission form (proposed 
17 CFR 200.303); \3\ provide for a shorter Commission response time to 
Privacy Act inquiries as to whether a specific system of records 
maintained by the Commission contains a record pertaining to the 
requester, which aligns with other relevant time lines (proposed 17 CFR 
200.304); update agency contact information (e.g., office names, 
facsimile numbers, email addresses, and physical addresses) (proposed 
17 CFR 200.303, 305, 308, and 309); and update the list of Commission 
systems of records that have promulgated rules exempting certain 
records from certain provisions of the Privacy Act (proposed 17 CFR 
200.310).
---------------------------------------------------------------------------

    \2\ These amendments are discussed in greater detail in Section 
IV. Economic Analysis.
    \3\ The Office of FOIA Services currently accepts electronic 
submission of verification of identity in all of these formats.
---------------------------------------------------------------------------

B. Proposed Revisions to Fee Provisions

    The proposed amendments would revise the fee provisions (proposed 
17 CFR 200.309) to update the provisions to reflect existing practice. 
The present rule states that fees for copying documents will be 
determined by rates set by contract with commercial copiers.

[[Page 10484]]

The proposed amendments would revise the rule to reflect existing 
practice, which is to apply the duplication fees listed on the Office 
of FOIA Services' fee page on the Commission's website. The duplication 
fees currently posted on the website reflect the direct costs to the 
Commission of producing a copy, whether in paper or electronic format, 
taking into account various factors including the salary of the 
employee(s) performing the work and the cost of materials. The Office 
of FOIA Services does not charge for providing existing electronic 
records because such a production does not require processes, such as 
copying or scanning, that impose direct costs on the Commission. The 
duplication fee posted on the Commission's website is adjusted as 
appropriate to reflect current costs.
    The proposed amendments also would codify the existing practice of 
charging requesters the direct costs associated with making records 
available on electronic storage devices, as reflected on the 
Commission's FOIA fee website. Further, the proposed amendments would 
allow for providing requesters with one free copy of each record 
amended or corrected pursuant to a request for amendment or correction.

C. Proposed Elimination of Certain Provisions

    The proposed amendments would eliminate two Sections of the 
existing regulations in their entirety. The proposed amendments also 
would eliminate certain other provisions within the existing 
regulations. The deleted provisions restate language in the Privacy 
Act, and thus do not require elaboration in the Commission's 
regulations; have been incorporated into other provisions within the 
proposed rule; or are otherwise unnecessary. The proposed amendments 
would remove the following:
    Title 17, section 200.305 of the existing rule: This provision, 
which provides special procedures for requests for medical records, is 
unnecessary as the medical records the Commission typically maintains, 
whether about Commission staff or other individuals, are generally 
available to those individuals through other means, and the Commission 
has never used special procedures for medical records in connection 
with Privacy Act requests.
    Title 17, section 200.307(b) of the existing rule: This provision 
restates the standards applied in reviewing requests for amendment or 
correction of records. These standards are set forth in the Privacy 
Act. Therefore, it is unnecessary to restate them in the Commission's 
regulations.
    Title 17, section 200.309(a): This provision describes the 
standards for extending time to respond to requests. This section uses 
language from the Freedom of Information Act (5 U.S.C. 
552(a)(6)(B)(iii)) rather than the Privacy Act. Title 17, sections 
200.304(d)(1), 304(d)(2)(ii), 307(b), and 309(a)(3) of the proposed 
rule contain information about extensions of time based on the 
requirements of the Privacy Act.
    Title 17, sections 200.309(b), (c), (d), and (e) of the existing 
rule: These provisions are unnecessary as they are not contemplated by 
the statute, are covered elsewhere in the revised rule, or are obsolete 
due to changes in technology affecting how Privacy Act requests are 
processed.
    Title 17, section 200.311 of the existing rule: This provision 
restates the statutory penalties set forth in the Privacy Act (5 U.S.C. 
552a(i)). Accordingly, recitation within Commission regulations is 
unnecessary.

D. Proposed Addition of Provisions

    The proposed amendments would add a provision for processing 
requests by individuals for an accounting of certain record disclosures 
about the requester, to include the date, nature, and purpose of each 
disclosure, that the Commission has made available to another person, 
organization, or agency (proposed 17 CFR 200.307). While the statute 
allows for individuals to request such an accounting (5 U.S.C. 
552a(c)(3)), the Commission's existing rule has no such provision. The 
proposed amendments would also add a provision that formally implements 
a 90-day time period for requesters to file administrative appeals 
(proposed 17 CFR 200.308). The 90-day period is appropriate because 
Privacy Act requests for access to records are also processed as 
Freedom of Information Act (``FOIA'') requests and the FOIA sets forth 
a 90-day deadline to file an administrative appeal. Because of the 
overlap with FOIA, Privacy Act requesters are currently informed they 
have 90 days to file an administrative appeal in response to an adverse 
decision.

E. Structure of the Proposed Rule

    The structure of the regulations would be revised to read as 
follows:
     17 CFR 200.301 (Purpose and scope);
     17 CFR 200.302 (Definitions);
     17 CFR 200.303 (Procedures for making inquiries and 
requests for access);
     17 CFR 200.304 (Responses to inquiries and requests for 
access);
     17 CFR 200.305 (Requests for amendment or correction of 
records);
     17 CFR 200.306 (Review of requests for amendment or 
correction);
     17 CFR 200.307 (Requests for an accounting of record 
disclosures);
     17 CFR 200.308 (Administrative appeals);
     17 CFR 200.30910 (Fees);
     17 CFR 200.310 (Specific exemptions);
     17 CFR 200.311 (Inspector General exemptions); and
     17 CFR 200.312 [Reserved].

III. General Request for Comments

    We request and encourage any interested person to submit comments 
on any aspect of the proposals, other matters that might have an impact 
on the proposals, and suggestions for additional changes. We note that 
comments are of particular assistance if accompanied by analysis of the 
issues addressed in those comments and any data that may support the 
analysis. We urge commenters to be as specific as possible.

IV. Economic Analysis

    The Commission is sensitive to the economic effects, including the 
costs and benefits that result from its rules. Section 23(a)(2) of the 
Securities Exchange Act of 1934 (``Exchange Act'') requires the 
Commission, in making rules pursuant to any provision of the Exchange 
Act, to consider among other matters the impact any such rule would 
have on competition and prohibits any rule that would impose a burden 
on competition that is not necessary or appropriate in furtherance of 
the purposes of the Exchange Act.\4\ Further, Section 3(f) of the 
Exchange Act requires the Commission, when engaging in rulemaking where 
it is required to consider or determine whether an action is necessary 
or appropriate in the public interest, to consider, in addition to the 
protection of investors, whether the action will promote efficiency, 
competition, and capital formation.\5\ As discussed further below, we 
preliminarily believe that the economic effects of the proposed 
amendments would be limited. Where possible, we have attempted to 
quantify the costs, benefits, and effects on efficiency, competition, 
and capital formation expected to result from the proposed amendments.
---------------------------------------------------------------------------

    \4\ 15 U.S.C. 78w(a).
    \5\ 15 U.S.C. 78c(f).
---------------------------------------------------------------------------

    The proposed amendments fall into four categories: (1) revisions to

[[Page 10485]]

procedural provisions; (2) revisions to certain fee provisions; (3) the 
elimination of certain unnecessary provisions; and (4) the addition of 
a new provision for requesting an accounting of record disclosures. We 
discuss each of these in turn below.
    First, we are proposing amendments to procedural provisions. Most 
of these changes would codify existing practice, including: (1) adding 
new methods for submitting Privacy Act inquiries, requests, and 
administrative appeals; (2) clarifying the existing procedures for 
submitting requests for information or records about oneself; (3) 
clarifying certain existing procedures for verification of identity, 
including options available for in-person or not in-person verification 
and necessary documentation; (4) clarifying existing procedures for 
submitting an administrative appeal; (5) codifying the existing 
practice of providing requesters 90 days to file an administrative 
appeal; and (6) correctly identifying the Commission systems of records 
that are exempt under the Privacy Act.\6\ We believe that these changes 
would have minimal impact on Privacy Act requesters because they 
largely codify existing practices. To the extent the proposed 
amendments result in these practices being followed more consistently, 
they could benefit the public and improve efficiency by decreasing the 
time in which the Commission responds to inquiries, requests, and 
appeals.
---------------------------------------------------------------------------

    \6\ One of the systems of records identified in the existing 
rule is obsolete. Another system of records had its name changed, 
and a new system of records was added.
---------------------------------------------------------------------------

    Furthermore, these amendments may reduce potential confusion among 
Privacy Act requesters with regard to certain existing procedures, 
which could further benefit the public. In particular, because Privacy 
Act requests for access to records are also processed as FOIA requests 
and the FOIA sets forth a 90-day deadline to file an administrative 
appeal, Privacy Act requesters are currently informed they have 90 days 
to file an administrative appeal in response to an adverse decision. We 
believe that codifying this existing practice would benefit requesters 
by removing any uncertainty as to when appeals must be filed. In 
addition, with respect to the provisions on verification of identity, 
the amendments also explicitly provide for an alternative electronic 
identification option through processes made available on the 
Commission's website. By clarifying and supplementing the available 
options for verification, these amendments may allow requestors to more 
efficiently choose a verification process that is most appropriate for 
them. We do not expect the proposed amendments to the procedural 
provisions to result in additional costs to any member of the public.
    Second, we are proposing to revise the provision concerning fees 
charged for duplication. This includes: (1) determining duplication 
fees based on the direct cost to the Commission as set forth on the 
FOIA fee page on the Commission's website; (2) codifying the existing 
practice of charging requesters the direct costs associated with making 
records available on electronic storage devices; and (3) clarifying 
that requesters will receive one free copy of each record corrected or 
amended pursuant to a request for amendment.
    The proposed changes to the fee procedures would benefit Privacy 
Act requesters by removing potential confusion about the cost of 
obtaining records and the cost of making records available on 
electronic storage devices. We do not anticipate that any of the 
proposed changes to the fee procedures would impose significant new 
costs on Privacy Act requesters or have any other economic impact.
    Prior to July 2018, duplication costs for FOIA and Privacy Act 
requesters were 24 cents per page as set by contract with a commercial 
copier. Since that time, duplication costs have been set at 15 cents 
per page, which reflects the direct cost to the Commission. Duplication 
fees may change in the future, to the extent that the Commission's 
direct costs for duplicating materials increase or decrease.
    The table below shows the number of Privacy Act requests processed 
by the Commission during fiscal years 2015 through 2022 and that, 
during those years, the Commission collected no fees for processing 
requests received under the Privacy Act.

------------------------------------------------------------------------
                                                          Fees collected
               Fiscal year                   Requests     for processing
                                             processed       requests
------------------------------------------------------------------------
2015....................................             134          $00.00
2016....................................             155           00.00
2017....................................              95           00.00
2018....................................             283           00.00
2019....................................             162           00.00
2020....................................             159           00.00
2021....................................             255           00.00
2022....................................             261           00.00
------------------------------------------------------------------------

    From fiscal years 2015 through 2022 requesters were not charged 
fees because either no records were provided or the requester was 
provided with existing electronic records, for which a fee is not 
charged. There were no requests processed that required production of 
hard copy records, the scanning of hard copies, or production in 
another media, such as an electronic storage device, and, consequently, 
no requests that would have imposed direct costs on the Commission.
    Given the lack of chargeable duplication fees in recent years, the 
Commission anticipates that the proposed changes to duplication fees 
(including fees for producing materials in electronic format) would not 
result in significant additional costs for requesters. Further, these 
proposed changes largely codify existing practices regarding fees for 
duplication and production on other types of media and, like the 
current regulations, do not charge fees for searching or retrieving 
records.
    The proposed change that clarifies that requesters will receive one 
free copy of each record corrected or amended pursuant to a request for 
amendment also codifies an existing practice, and would therefore not 
impose any additional burden on requesters.
    Third, the Commission is proposing to eliminate certain provisions 
in its Privacy Act regulations. The Commission does not anticipate that 
the removal of 17 CFR 200.305 will have any meaningful economic 
effects. The provision provides special procedures for requests for 
medical records, but the medical records the Commission typically 
maintains, whether about Commission staff or other individuals, are 
generally available to those individuals through other means, and the 
Commission has never used special procedures for medical records in 
connection with Privacy Act requests. The Commission does not expect 
the proposed elimination of 17 CFR 200.307(b) and 200.311 to result in 
any economic effects because they restate language in the Privacy Act.
    There would also be minimal economic effects from the proposed 
elimination of 17 CFR 200.309(a), which describes the standards for 
extending time to respond to requests, because other provisions in the 
proposed rule (17 CFR 200.304(d), 200.306(b), and 200.307(d)) address 
the procedures and reasons for extending the time to respond to 
inquiries and requests. Similarly, the Commission does not expect the 
proposed elimination of 17 CFR 200.309(c) and 200.309(d) to result in 
meaningful economic effects. These provisions require giving notice to 
a requester when delay will result from the fact that the subject 
records are in

[[Page 10486]]

use by a member of the Commission or its staff and when records are 
lost. The proposed rule would require the Office of FOIA Services to 
notify requesters of reasons for delay and of the fact that a record 
does not exist, so the specific information in 17 CFR 200.309(c) and 
200.309(d) is duplicative.
    The proposed elimination of 17 CFR 200.309(b) would remove the 
concept of an ``effective date of action'' as it relates to mailing 
acknowledgements or responses by the Commission. This proposed 
amendment could increase the Commission's flexibility in acknowledging 
or responding to requests while also potentially increasing uncertainty 
for requesters, but these effects would only be realized to the extent 
that requesters and the Commission rely on mail to make and respond to 
requests, and the Commission expects that use of mail will be 
infrequent going forward because most communications occur by email.
    The proposed elimination of 17 CFR 200.309(e)(1), which prohibits 
oral requests, would have no substantive effect, because the existing 
regulations, like the proposed amendments, elsewhere require Privacy 
Act requests to be made in writing. The elimination of 17 CFR 
200.309(e)(2), which states that a misdirected request will be deemed 
received only once it is received by a Privacy Act Officer and that an 
appeal will not be considered unless the request was in fact received 
by a Privacy Act Officer, would remove an unnecessary provision because 
the proposed rules in 17 CFR 200.303(a) and 200.305(a) have the same 
effect by requiring that requesters use the methods described in the 
proposed rules to submit a Privacy Act inquiry or request.
    Finally, the Commission is proposing to add a provision outlining 
the procedure for making requests for an accounting of record 
disclosures. The existing rules do not provide for such a procedure, 
although the public's right to make such a request is contemplated by 
the statute. 5 U.S.C.552a(c)(3). This provision would reduce the 
potential confusion among Privacy Act requesters about the exact 
procedure that they would have to follow with regard to this type of 
request, and therefore this provision would generally benefit the 
public. Furthermore, by providing clarity about the procedure that 
would have to be followed when requesting an accounting of record 
disclosure, the provision would likely reduce the cost to the public of 
submitting this type of request.
    The Commission preliminarily believes that the proposed amendments 
would not have any significant impact on competition or capital 
formation. The proposed amendments may result in a slight improvement 
in operational efficiency, to the extent that they decrease the time in 
which the Commission responds to inquiries, requests, and appeals. The 
Commission requests comment on all aspects of the benefits and costs of 
the proposal, including any anticipated impacts on efficiency, 
competition, or capital formation.

V. Regulatory Flexibility Act Certification

    Section 3(a) of the Regulatory Flexibility Act of 1980 requires the 
Commission to undertake an initial regulatory flexibility analysis of 
the effect of the proposed rule amendments on small entities unless the 
Commission certifies that the proposal, if adopted, would not have a 
significant economic impact on a substantial number of small entities. 
As discussed above, most of the proposed changes are procedural. Many 
of the changes codify existing practices and are therefore unlikely to 
have any economic impact on requesters. With respect to the changes to 
the fee schedule, under the Privacy Act, agencies may recover only the 
cost of duplicating the records processed for requesters. These fees 
are typically nominal, and the proposed changes to the fee regulations 
codify existing practice and thus would not have a significant economic 
impact on a Privacy Act requester. Fees for duplication are identified 
on the Commission's web page at https://www.sec.gov/foia/feesche.htm. 
In accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), 
the Commission certifies that the proposed amendments to the Privacy 
Act regulations, if adopted, would not have a significant economic 
impact on a substantial number of small entities. The Commission 
requests comment regarding the appropriateness of its certification.

VI. Paperwork Reduction Act

    The proposed rule would not impose any new ``collection of 
information'' requirement as defined by the Paperwork Reduction Act of 
1995 (``PRA''), 44 U.S.C. 3501 et seq.; nor would it create any new 
filing, reporting, recordkeeping, or disclosure reporting requirements. 
Accordingly, we are not submitting the proposed rule to the Office of 
Management and Budget for review under the PRA.\7\ We request comment 
on whether our conclusion that there are no new collections of 
information is correct.
---------------------------------------------------------------------------

    \7\ 44 U.S.C. 3507(d) and 5 CFR 1320.11.
---------------------------------------------------------------------------

VII. Small Business Regulatory Enforcement Fairness Act

    Under the Small Business Regulatory Enforcement Fairness Act of 
1996, a rule is considered ``major'' where, if adopted, it results or 
is likely to result in: (i) an annual effect on the economy of $100 
million or more (either in the form of an increase or a decrease); (ii) 
a major increase in costs or prices for consumers or individual 
industries; or (iii) significant adverse effect on competition, 
investment, or innovation.\8\ We request comment on the potential 
impact of the proposed rule on the economy on an annual basis, any 
potential increase in costs or prices for consumers or individual 
industries, and any potential effect on competition, investment, or 
innovation. Commenters are requested to provide empirical data and 
other factual support for their view to the extent possible.
---------------------------------------------------------------------------

    \8\ Public Law 104-121, 110 Stat. 857 (1996) (codified in 
various sections of 5 U.S.C., 15 U.S.C., and as a note to 5 U.S.C. 
601).
---------------------------------------------------------------------------

Statutory Authority and Text of Proposed Rule Amendments

    The amendments contained herein are being proposed under the 
authority set forth in 5 U.S.C. 552a(f), 552a(j), 552a(k); and 15 
U.S.C. 78d-1 and 78w(a).

List of Subjects in 17 CFR Part 200

    Administrative practice and procedure; Privacy Act.

Text of Proposed Amendments

    For the reasons stated in the preamble, the Commission proposes to 
amend title 17, chapter II of the Code of Federal Regulations as 
follows:

PART 200--ORGANIZATION; CONDUCT AND ETHICS; AND INFORMATION AND 
REQUESTS

0
1. The authority citation for part 200 continues to read as follows:

    Authority:  5 U.S.C. 552, 552a, 552b, and 557; 11 U.S.C. 901 and 
1109(a); 15 U.S.C. 77c, 77e, 77f, 77g, 77h, 77j, 77o, 77q, 77s, 77u, 
77z-3, 77ggg(a), 77hhh, 77sss, 77uuu, 78b, 78c(b), 78d, 78d-1, 78d-
2, 78e, 78f, 78g, 78h, 78i, 78k, 78k-1, 78l, 78m, 78n, 78o, 78o-4, 
78q, 78q-1, 78w, 78t-1, 78u, 78w, 78ll(d), 78mm, 78eee, 80a-8, 80a-
20, 80a-24, 80a-29, 80a-37, 80a-41, 80a-44(a), 80a-44(b), 80b-3, 
80b-4, 80b-5, 80b-9, 80b-10(a), 80b-11, 7202, and 7211 et seq.; 29 
U.S.C. 794; 44 U.S.C. 3506 and 3507; Reorganization Plan No. 10 of 
1950 (15 U.S.C. 78d nt); sec.

[[Page 10487]]

8G, Pub. L. 95-452, 92 Stat. 1101 (5 U.S.C. App.); sec. 913, Pub. L. 
111-203, 124 Stat. 1376, 1827; sec. 3(a), Pub. L. 114-185, 130 Stat. 
538; E.O. 11222, 30 FR 6469, 3 CFR, 1964-1965 Comp., p. 36; E.O. 
12356, 47 FR 14874, 3 CFR, 1982 Comp., p. 166; E.O. 12600, 52 FR 
23781, 3 CFR, 1987 Comp., p. 235; Information Security Oversight 
Office Directive No. 1, 47 FR 27836; and 5 CFR 735.104 and 5 CFR 
parts 2634 and 2635, unless otherwise noted.

0
2. Revise subpart H to read as follows:

Subpart H--Regulations Pertaining to the Privacy of Individuals and 
Systems of Records Maintained by the Commission

Sec.
200.301 Purpose and scope.
200.302 Definitions.
200.303 Procedures for making inquiries and requests for access.
200.304 Responses to inquiries and requests for access.
200.305 Requests for amendment or correction of records.
200.306 Review of requests for amendment or correction.
200.307 Requests for an accounting of record disclosures.
200.308 Administrative appeals.
200.309 Fees.
200.310 Specific exemptions.
200.311 Inspector General exemptions.
200.312 [Reserved]

    Authority: 5 U.S.C. 552a(f), unless otherwise noted.

    Section 200.310 is also issued under 5 U.S.C. 552a(k).
    Section 200.311 is also issued under 5 U.S.C. 552a(j) and 5 
U.S.C. 552a(k).


Sec.  200.301   Purpose and scope.

    (a) This subpart contains the rules of the Securities and Exchange 
Commission implementing the Privacy Act of 1974, as amended (Pub. L. 
93-579, 5 U.S.C. 552a). These rules are applicable to all records in 
systems of records maintained by the Commission. They set forth the 
procedures by which individuals may make an inquiry regarding or 
request access to records about themselves, request an amendment or 
correction of those records, and request an accounting of disclosures 
of those records by the Commission.
    (b) This subpart also lists the Commission systems of records that 
are exempt from some of the provisions of the Privacy Act of 1974. 
These exemptions are authorized under the Privacy Act, 5 U.S.C. 552a(j) 
and (k).


Sec.  200.302   Definitions.

    In addition to the definitions contained in 5 U.S.C. 552a(a), the 
following definitions apply in this subpart:
    Commission means the Securities and Exchange Commission.
    Inquiry means a request described in Privacy Act section (f)(1).
    Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 
552a).
    Request for access to a record means a request made under Privacy 
Act section (d)(1).
    Request for amendment or correction of a record means a request 
made under Privacy Act section (d)(2).
    Request for an accounting means a request made under Privacy Act 
section (c)(3).
    Requester means an individual who makes an inquiry, a request for 
access, a request for amendment or correction, or a request for an 
accounting.


Sec.  200.303   Procedures for making inquiries and requests for 
access.

    Requesters seeking to know if a specific system of records 
maintained by the Commission contains a record pertaining to them may 
submit an inquiry to the Commission. Requesters may also request access 
to records pertaining to them in a system of records maintained by the 
Commission.
    (a) How to make an inquiry or request for access. An inquiry or 
request for access must be in writing and may be submitted by email 
([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit an inquiry or request for access by mail to the Securities and 
Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Inquiries and requests for access that are submitted 
by mail should include the words ``PRIVACY ACT REQUEST'' in capital 
letters at the top of the letter and on the face of the envelope.
    (b) Information to be included in an inquiry or request for access. 
Each inquiry or request for access must include information that will 
assist the Commission in identifying those records the requester is 
seeking information about or access to. The following information, as 
relevant, should be submitted with the request: name of the individual 
whose record is sought; identifying data that will help locate the 
record (e.g., maiden name and period or place of employment); and the 
requester's name, address, telephone number, and email address. Where 
practicable, the requester should identify the system of records that 
is the subject of the inquiry or request for access by reference to the 
Commission's systems of records notices, which are published in the 
Federal Register. The Commission's systems of records notices can also 
be found on the Commission's website at https://www.sec.gov/oit/system-records-notices. If additional information is required before a request 
can be processed, the requester will be so advised.
    (c) Verification of identity. A requester making an inquiry or 
requesting access to a record must verify his or her identity before 
information is given or access is granted unless the information is 
required to be disclosed under the Freedom of Information Act (FOIA), 5 
U.S.C. 552.
    (1) In-person verification. A requester may appear at any of the 
Commission offices, which are listed on the Commission's website at 
https://www.sec.gov/divisions.shtml, and furnish documentation to 
establish his or her identity. Such documentation might include a valid 
driver's license, passport, birth certificate, employee or military 
identification card, or Medicare card. Sufficiency of the documentation 
in verifying identity will be determined by the Commission staff member 
reviewing such documentation.
    (2) Not in-person verification. A requester who does not appear in 
person must verify his or her identity using one of the following 
methods:
    (i) A requester may use electronic identity proofing and 
authentication processes as made available through the Commission's 
website; or
    (ii) A requester may submit a copy of documentation to establish 
the requester's identity (examples of such documentation are noted in 
paragraph (c)(1) of this section).
    (3) Submission of signed statement. For all verification methods, a 
requester must also submit a statement attesting to the requester's 
identity and a statement that the requester understands that a knowing 
and willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense subject to a 
$5,000 fine. Sample statements and the requirements for completing them 
are available through the Commission's website.
    (4) Additional procedures for verifying identity. When it appears 
appropriate, the Commission's Office of FOIA Services may make such 
other arrangements for the verification of identity as are reasonable 
under the circumstances and appear to be effective to prevent 
unauthorized disclosure of, or access to, individual records.

[[Page 10488]]

Sec.  200.304   Responses to inquiries and requests for access.

    (a) Initial review. Inquiries and requests for access will be 
referred to the Commission's Office of FOIA Services which will make 
the initial determination as to whether the inquiry or request for 
access will be granted.
    (b) Grant of inquiry or request for access. If it is determined 
that an inquiry or request for access will be granted, the requester 
will be advised in writing. When a request for access is granted, in 
full or in part, a requester may elect to receive a copy of the 
requested record electronically, by mail, or in person, and the Office 
of FOIA Services will comply with that election to the extent 
practicable.
    (c) Denial of an inquiry or request for access. If it is determined 
that no response will be given to an inquiry or that a request for 
access will not be granted, the requester will be notified of that fact 
in writing and given the reasons for the denial. The requester also 
will be advised of his or her right to seek review by the Office of the 
General Counsel of the initial decision in accordance with the 
procedures set forth in Sec.  200.308.
    (d) Time for acting on inquiries and requests for access. (1) 
Responses to inquiries. The Office of FOIA Services will endeavor to 
inform a requester making an inquiry as to whether the named system of 
records contains a record pertaining to him or her within 10 days 
(excluding Saturdays, Sundays, and Federal holidays) of receipt of such 
a request. Whenever a response to an inquiry cannot be made within the 
10 days, the Office of FOIA Services will inform the requester of the 
reasons for the delay and the date by which a response may be 
anticipated.
    (2) Acknowledgement of and responses to requests for access. (i) 
Except where the requester appears in person, the Office of FOIA 
Services will endeavor to acknowledge, in writing, receipt of a request 
for access within 10 days (excluding Saturdays, Sundays, and Federal 
holidays) of receipt of such a request.
    (ii) The Office of FOIA Services will endeavor to respond to a 
request for access to a record pertaining to a requester within 30 days 
(excluding Saturdays, Sundays, and Federal holidays) after the receipt 
of the request. If, for good cause shown, a longer period of time is 
required, the Office of FOIA Services will inform the requester in 
writing of the reasons for the delay, and indicate when access is 
expected to be granted or denied.
    (3) Appearance in person. When a requester appears in person at the 
Commission to make a request for access and the requester provides the 
required information and verification of identity, the Office of FOIA 
Services' staff, if practicable, will indicate whether it is likely 
that the requester will be given access to the records and, if so, when 
and under what circumstances such access will be given.
    (e) Exclusion for certain records. Nothing contained in these rules 
allows a requester to obtain access to any records or information 
compiled in reasonable anticipation of a civil action or proceeding.


 Sec.  200.305  Requests for amendment or correction of records.

    (a) How to a make request for amendment or correction. A written 
request for amendment or correction of records may be submitted by 
email ([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit a request for amendment or correction by mail to the Securities 
and Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at  https://www.sec.gov/oso/help/foia-contact.html. Requests that are submitted by mail should include 
the words ``PRIVACY ACT REQUEST'' in capital letters at the top of the 
letter and on the face of the envelope.
    (1) Information to be included in requests for amendment or 
correction. Each request for amendment or correction must reasonably 
describe the record sought to be amended or corrected. Such description 
should include, for example, relevant names, dates, and subject matter 
to permit the record to be located among the records maintained by the 
Commission. The requester will be advised promptly if the record cannot 
be located on the basis of the description given and if further 
identifying information is necessary before the request can be 
processed. Verification of the requester's identity as set forth in 
Sec.  200.303(c) will also be required before an amendment or 
correction is undertaken.
    (2) Basis for amendment or correction. A requester seeking an 
amendment or correction to a record must specify the substance of the 
amendment or correction and set forth facts and provide such materials 
that would support the contention that the record as maintained by the 
Commission is not accurate, timely, or complete or, where a request 
seeks deletion of information, that the record is not necessary and 
relevant to accomplish a statutory purpose of the Commission as 
authorized by law or by Executive Order of the President.
    (b) Acknowledgement of requests for amendment or correction. 
Receipt of a request for amendment or correction will be acknowledged 
in writing within 10 days (excluding Saturdays, Sundays, and Federal 
holidays) after such request has been received. When a request for 
amendment or correction is made in person, the requester will be given 
a written acknowledgement when the request is presented. The 
acknowledgement will describe the request received and indicate when it 
is anticipated that action will be taken on the request.


Sec.  200.306   Review of requests for amendment or correction.

    (a) Initial review. Requests for amendment or correction to records 
pertaining to that individual will be referred to the Commission's 
Office of FOIA Services for an initial determination.
    (b) Time for acting on requests. Initial review of a request for 
amendment or correction will be completed promptly and the Office of 
FOIA Services will endeavor to respond to a request within 30 days 
(excluding Saturdays, Sundays, and Federal holidays) from the date the 
request was received, unless circumstances preclude completion of 
review within that time. If the anticipated completion date indicated 
in the acknowledgement cannot be met, the requester will be advised in 
writing of the delay and the reasons for the delay, and also advised 
when action is expected to be completed.
    (c) Grant of requests for amendment or correction. If a request for 
amendment or correction is granted in whole or in part, the Office of 
FOIA Services will:
    (1) Advise the requester in writing of the extent to which it has 
been granted;
    (2) Amend or correct the record accordingly; and
    (3) Where an accounting of disclosures of the record has been kept 
pursuant to 5 U.S.C. 552a(c), advise all previous recipients of the 
record of the fact that the record has been amended or corrected and 
the substance of the amendment or correction.
    (d) Denial of requests for amendment or correction. If the request 
for amendment or correction is denied in whole or in part, the Office 
of FOIA Services will:
    (1) Promptly advise the requester in writing of the extent to which 
the request has been denied;

[[Page 10489]]

    (2) State the reasons for the denial of the request;
    (3) Describe the procedures to appeal the denial of the request for 
amendment or correction, including the name and address of the person 
to whom the appeal is to be addressed; and
    (4) Inform the requester that the Office of FOIA Services will 
provide information and assistance to the individual in perfecting an 
appeal of the initial decision.


Sec.  200.307  Requests for an accounting of record disclosures.

    (a) How made and addressed. Except where accountings of disclosures 
are not required to be kept or provided (as stated in paragraph (e) of 
this section), requesters may ask the Commission to provide an 
accounting of a disclosure of a record about the requester that the 
Commission has made to another person, organization, or agency. The 
request for an accounting should identify each particular record in 
question and must be made in writing. The request may be submitted by 
email ([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively 
submit a request for an accounting by mail to the Securities and 
Exchange Commission, Office of FOIA Services, 100 F Street NE, 
Washington, DC 20549 or other mailing address or facsimile number 
published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Requests for accounting that are submitted by mail 
should include the words ``PRIVACY ACT REQUEST'' in capital letters at 
the top of the letter and on the face of the envelope.
    (b) Verification of identity. Verification of the requester's 
identity as set forth in section 202.303(c) will be required before an 
accounting is given.
    (c) Acknowledgement of requests for an accounting of record 
disclosures. The Office of FOIA Services will endeavor to acknowledge, 
in writing, receipt of a request for an accounting of record 
disclosures within 10 days of receipt of such a request (excluding 
Saturdays, Sundays, and Federal holidays). When a request for an 
accounting of record disclosures is made in person, the requester will 
be given a written acknowledgement when the request is presented. The 
acknowledgement will describe the request received and indicate when it 
is anticipated that action will be taken on the request.
    (d) Time for acting on requests. The Office of FOIA Services will 
endeavor to respond to a request for an accounting of record 
disclosures within 30 days (excluding Saturdays, Sundays, and Federal 
holidays) from the date the request was received, unless the requester 
is notified in writing within the 30-day period that, for good cause 
shown, a longer period of time is required. In such cases, the 
requester will be informed in writing of the reasons for the delay and 
an indication will be given as to when it is anticipated that an 
accounting may be granted or denied.
    (e) Grant of request of accounting. If it is determined that a 
request for an accounting will be granted, the requester will be 
advised in writing. When a request for access is granted, in full or in 
part, the information will be provided electronically, by mail, or in 
person at the requester's election.
    (f) Denial of a request for accounting. If it is determined that 
the request will not be granted, the requester will be notified of that 
fact in writing and given the reasons for the denial. The requester 
also will be advised of his or her right to seek review by the Office 
of the General Counsel of the initial decision in accordance with the 
procedures set forth in Sec.  200.308.
    (g) Where accountings of record disclosures are not required. The 
Commission is not required to provide accountings of disclosures to 
requesters where they relate to:
    (1) Disclosures made to officers and employees within the 
Commission and disclosures made under the FOIA, 5 U.S.C. 552;
    (2) Disclosures made to law enforcement agencies for authorized law 
enforcement activities in response to written requests from those law 
enforcement agencies specifying the law enforcement activities for 
which disclosures are sought; or
    (3) Disclosures made from law enforcement systems of records that 
have been exempted from accounting requirements.


Sec.  200.308   Administrative appeals.

    (a) Administrative review. A requester who has been notified 
pursuant to Sec. Sec.  200.304(c), 200.306(d), or 200.307(d) that his 
or her inquiry or request has been denied in whole or in part, or who 
has received no response to a request for access or to amend within 30 
days (excluding Saturdays, Sundays, and Federal holidays) after his or 
her request was received by the Office of the FOIA Services, may appeal 
to the Office of the General Counsel the adverse determination.
    (1) Appeals must be received within 90 calendar days of the date of 
the written denial of an inquiry or request and must be received no 
later than 11:59 p.m., Eastern Time, on the 90th day.
    (2) The appeal should be in writing and should provide the assigned 
request number, a copy of the original request, and the adverse 
determination. The appeal should also explain why the requester 
contends any adverse determination was in error. The requester may 
state such facts and cite such legal or other authorities as the 
requester may consider appropriate in support of the appeal. If only a 
portion of the adverse determination is appealed, the requester should 
specify which part is being appealed.
    (3) The appeal may be submitted by email ([email protected]) or online 
at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit an appeal by 
mail to the Securities and Exchange Commission, Office of FOIA 
Services, 100 F Street NE, Washington, DC 20549 or other mailing 
address or facsimile number published on the Commission's website at 
https://www.sec.gov/oso/help/foia-contact.html.
    (4) The Office of the General Counsel will endeavor to make a 
determination with respect to an appeal within 30 days after the 
receipt of such appeal (excluding Saturdays, Sundays, and Federal 
holidays) unless, for good cause shown, the Office of the General 
Counsel extends that period. If such an extension is made, the 
individual who is appealing will be advised in writing of the 
extension, the reasons therefor, and the anticipated date when the 
appeal will be decided.
    (5) If the Office of the General Counsel concludes that an inquiry 
or request for access, amendment or correction, or an accounting should 
be granted, it will issue a decision granting the inquiry or request 
and instructing the Office of FOIA Services to comply with Sec. Sec.  
200.304(b), 200.306(c), or 200.307(c), as applicable.
    (6) If the Office of the General Counsel affirms the initial 
decision denying an inquiry or request for access or an accounting, it 
will issue a decision denying the inquiry or request and advising the 
requester of:
    (i) The reasons for the denial; and
    (ii) The requester's right to obtain judicial review of the 
decision pursuant to 5 U.S.C. 552a(g)(1)(B) or (g)(1)(D), as 
applicable.
    (7) If the Office of the General Counsel determines that the 
decision of the Office of FOIA Services denying a request for amendment 
or correction should be upheld, it will issue a decision denying the 
request and the individual will be advised of:

[[Page 10490]]

    (i) The decision refusing to amend or correct the record and the 
reasons therefor;
    (ii) The requester's right to file a concise statement setting 
forth his or her disagreement with the decision not to amend or correct 
the record;
    (iii) The procedures for filing such a statement of disagreement;
    (iv) The fact that any such statement of disagreement will be made 
available to anyone to whom the record is disclosed, together with, if 
the Office of the General Counsel deems it appropriate, a brief 
statement setting forth the Office of the General Counsel's reasons for 
refusing to amend or correct;
    (v) The fact that prior recipients of the record in issue will be 
provided with the statement of disagreement and the Office of the 
General Counsel's statement, if any, to the extent that an accounting 
of such disclosures has been maintained pursuant to 5 U.S.C. 552a(c); 
and
    (vi) The requester's right to seek judicial review of the Office of 
the General Counsel's refusal to amend or correct, pursuant to 5 U.S.C. 
552a(g)(1)(A).
    (8) In appropriate cases the Office of the General Counsel may, in 
its sole discretion, refer matters requiring administrative review of 
initial decisions to the Commission for determination and the issuance, 
where indicated, of decisions.
    (b) Statements of disagreement. As noted in paragraph (a)(6)(ii) of 
this section, a requester may file a statement setting forth his or her 
disagreement with the Office of the General Counsel's denial of the 
request for amendment or correction.
    (1) Such statement of disagreement may be submitted by email 
([email protected]) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester who is not able to 
submit a statement of disagreement by email or online may submit a 
request by mail to the Securities and Exchange Commission, Office of 
FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing 
address or facsimile number published on the Commission's website at 
https://www.sec.gov/oso/help/foia-contact.html. A requester must submit 
a statement of disagreement within 30 days after receipt of the Office 
of the General Counsel's decision denying the request for amendment or 
correction. For good cause shown this period can be extended for a 
reasonable time.
    (2) Statements of disagreement should be concise and must clearly 
identify each part of any record that is disputed and state the basis 
for the requester's disagreement. The Office of the General Counsel 
will return unduly lengthy or irrelevant materials to the individual 
for appropriate revisions before they become a permanent part of the 
requester's record. Statements of disagreement will be placed in the 
system of records in which the disputed record is maintained. The 
disputed record will be marked to indicate that a statement of 
disagreement has been filed and where in the system of records it may 
be found.
    (3) If a requester has filed a statement of disagreement, the 
Office of FOIA Services will append a copy of it to the disputed record 
whenever the record is disclosed and may also append a concise 
statement of its reason(s) for denying the request for amendment or 
correction.
    (4) In appropriate cases, the Office of the General Counsel may, in 
its sole discretion, refer matters concerning statements of 
disagreement to the Commission for disposition.


Sec.  200.309   Fees.

    (a) The only fee to be charged to a requester under this part is 
for the duplication of records to be disclosed to the requester. No fee 
will be charged or collected for: search, retrieval, or review of 
records; or duplication at the initiative of the Commission without a 
request from the requester. Fees for duplication will be charged at 
rates set forth on the FOIA web page of the Commission's website at 
www.sec.gov. Fees for duplication include any costs incurred in making 
records available on electronic storage devices.
    (b) With regard to requests for amendment or correction, the 
Commission will provide the requester one copy of each record corrected 
or amended pursuant to his or her request without charge as evidence of 
the correction or amendment.
    (c) Whenever the Office of FOIA Services determines that good cause 
exists to grant a request for reduction or waiver of fees for 
duplication costs, it may reduce or waive any such fees.


Sec.  200.310   Specific exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the following 
systems of records maintained by the Commission are exempt from 5 
U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), 
and (f), and Sec. Sec.  200.303, 200.305, and 200.307, insofar as they 
contain investigatory materials compiled for law enforcement purposes:
    (1) Enforcement Files;
    (2) Office of the General Counsel Working Files;
    (3) Office of the Chief Accountant Working Files;
    (4) Correspondence Response System;
    (5) Tips, Complaints, and Referrals (TCR) Records; and
    (6) SEC Security in the Workplace Incident Records.
    (b) Pursuant to 5 U.S.C. 552a(k)(5), the systems of records 
containing the Commission's Disciplinary and Adverse Actions, Employee 
Conduct, and Labor Relations Files are exempt from 5 U.S.C. 552a(c)(3), 
(d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f), and Sec. Sec.  
200.303 through 200.309, insofar as they contain investigatory material 
compiled to determine an individual's suitability, eligibility, and 
qualifications for Federal civilian employment or access to classified 
information, but only to the extent that the disclosure of such 
material would reveal the identity of a source who furnished 
information to the Government under an express promise that the 
identity of the source would be held in confidence, or, prior to 
September 27, 1975, under an implied promise that the identity of the 
source would be held in confidence.


Sec.  200.311  Inspector General exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(j)(2), the system of 
records maintained by the Office of Inspector General of the Commission 
that contains investigative files is exempt from the provisions of 5 
U.S.C. 552a, except sections (b), (c)(1) and (2), (e)(4)(A) through 
(F), (e)(6), (e)(7), (e)(9), (e)(10), and (e)(11), and (i), and 
Sec. Sec.  200.303 through 200.309, insofar as the system contains 
information pertaining to criminal law enforcement investigations.
    (b) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of 
records maintained by the Office of Inspector General of the Commission 
that contains investigative files is exempt from 5 U.S.C. 552a(c)(3), 
(d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) and Sec. Sec.  
200.303 through 200.309, insofar as it contains investigatory materials 
compiled for law enforcement purposes.


Sec.  200.312  [Reserved]

    By the Commission.

    Dated: February 14, 2023.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-03467 Filed 2-17-23; 8:45 am]
BILLING CODE 8011-01-P