Privacy Act and Freedom of Information Act Regulations, 87960-87967 [2023-27473]

Agencies

• Management and Budget Office

[Federal Register Volume 88, Number 243 (Wednesday, December 20, 2023)]
[Proposed Rules]
[Pages 87960-87967]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27473]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 88, No. 243 / Wednesday, December 20, 2023 / 
Proposed Rules

[[Page 87960]]



OFFICE OF MANAGEMENT AND BUDGET

5 CFR Parts 1302 and 1303

RIN 0348-AB87


Privacy Act and Freedom of Information Act Regulations

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Management and Budget (OMB) seeks public comment 
on a proposed rule that would revise OMB's regulations implementing the 
Privacy Act and the Freedom of Information Act (FOIA). These revisions 
would update OMB's regulations to reflect changes in OMB's current 
organizational structure and best practices. The proposed amendments 
would also ensure consistency between the access to records procedures 
in OMB's Privacy Act regulations and OMB's FOIA regulations; and with 
applicable law and policies that were enacted after OMB originally 
issued its Privacy Act regulations in 1976. The proposed revisions 
would also align OMB's regulations with those of other agencies.

DATES: Comments are due on or before January 19, 2024.

ADDRESSES: You may send comments by:
    Federal eRulemaking Portal: https://www.regulations.gov.
    Instructions: All submissions must contain the subject heading 
``OMB Privacy Act and FOIA Regulations.''

FOR FURTHER INFORMATION CONTACT: For questions about these proposed 
regulations, please contact Timothy Ziese, 202-395-8693, 
[email protected]. You must include ``OMB Privacy Act and FOIA 
Regulations'' in the subject line.

SUPPLEMENTARY INFORMATION:

Background

    OMB proposes to revise its regulations at 5 CFR part 1302 governing 
requests and responses under the Privacy Act of 1974, as amended, 5 
U.S.C. 552a (``Privacy Act'') and corresponding changes at 5 CFR part 
1303 governing requests and responses under the Freedom of Information 
Act, as amended, 5 U.S.C. 552 (``FOIA'').
    The Privacy Act establishes certain agency responsibilities and 
individual rights regarding the collection, use, maintenance, and 
disclosure of records about individuals. To carry out these 
responsibilities, the Privacy Act requires agencies to promulgate 
regulations that establish (1) procedures for notifying an individual 
if any system of records named by the individual contains a record 
pertaining to that individual; (2) procedures for making information 
pertaining to an individual available to that individual upon request, 
including with respect to timelines and other requirements; (3) 
procedures for reviewing and adjudicating a request from an individual 
concerning the amendment of any record or information pertaining to the 
individual, and generally ensuring that individuals can fully exercise 
their rights under the Privacy Act; and (4) fees to be charged, if any, 
to any individual for making copies of records pertaining to the 
individual, excluding the cost of any search for and review of the 
record. 5 U.S.C. 552a(f).
    OMB's current Privacy Act regulations are codified at 5 CFR part 
1302. These regulations were promulgated in 1976. OMB proposes to 
update them for consistency with OMB's current organizational structure 
and best practices. Amendments would also ensure consistency with (1) 
the access to records procedures in OMB's FOIA regulations found at 5 
CFR part 1303; and (2) applicable law and policies that were enacted 
after 1976. The proposed revisions would also make OMB's regulations 
more consistent with those of other agencies, including as recently 
proposed by the Department of Justice (DOJ).
    OMB also proposes conforming revisions to OMB's FOIA regulations, 
most notably with regard to identity verification. In accordance with 5 
U.S.C. 552a(t), this proposal provides FOIA requesters the benefit of 
both the Privacy Act and FOIA disclosure requirements. Additionally, if 
a requested record is not part of a system of records, or if the FOIA 
requester is not an individual for purposes of the Privacy Act, a FOIA 
requester may be required to provide verification of identity in order 
to obtain greater access to records about themselves under the FOIA. 
The proposed revisions to the FOIA regulations therefore account for 
the limited circumstances when a FOIA requester may need to verify 
their identity in order to receive information that would otherwise be 
withheld under a FOIA exemption. OMB proposes additional revisions to 
OMB's FOIA regulations to reflect organizational changes and clarify 
language. If a requester cannot satisfy the identity verification 
requirements of OMB's proposed Privacy Act regulations, OMB will 
process the matter as a FOIA request.
    A shorter summary is available at www.regulations.gov/docket/OMB-2023-0022.

Section-by-Section Analysis

    General revisions to 5 CFR part 1302: General revisions are 
proposed throughout part 1302 to update terminology used and to 
streamline language for clarity, such as by including titles for each 
section summarizing the relevance of each provision. The proposed 
regulation would also reorder the regulation's text for consistency 
with those of other agencies, including DOJ's proposed Privacy Act 
regulation (88 FR 1012). All references to communications that are 
written or in writing include communications in hardcopy and electronic 
mail.
    Section 1302.1--General provisions: This new section would include 
(1) the purpose and scope of the Privacy Act regulations; (2) 
definitions for ``request for access,'' ``request for amendment or 
correction,'' ``request for an accounting,'' ``requester,'' and 
``system manager''; and (3) a clarification that OMB may disclose any 
record covered by the Privacy Act pursuant to a written request or 
consent of the individual about whom the record pertains.
    Section 1302.2--Requirements for making requests for access: This 
proposed section, which would include material that is currently 
codified in 5 CFR 1302.1 (``Rules for determining if an individual is 
the subject of a record'') and 1302.2 (``Requests for access''), is

[[Page 87961]]

modeled after DOJ's proposed Privacy Act regulations. OMB proposes to 
replace its current regulations' sections on ``Rules for determining if 
an individual is the subject of a record'' and ``Requests for access'' 
with sections for ``Requirements for making requests for access'' and 
``Responsibility for responding to requests.'' OMB believes that this 
revised categorization better delineates what requesters must do and 
what OMB must do.
    Proposed paragraph (d) would describe the method of providing 
identity verification and proofing. OMB believes this paragraph is 
necessary to ensure appropriate methods are available to individuals 
when verifying their identity under proposed paragraphs (e) and (f). As 
such, OMB intends to provide a number of methods pursuant to which 
individuals may submit verification information in a manner that 
safeguards their personal information. Failure to use the approved 
methods may result in failure to expunge information consistent with 
approved records schedules.
    Proposed paragraph (e), which would include provisions currently 
codified in 5 CFR 1302.2(b)(2)(vi)(A) through (G), includes updates to 
reflect the specific processes that a requester must perform to verify 
their identity.
    Proposed paragraph (f), which would include provisions currently 
codified in 5 CFR 1302.2(b)(2)(vi)(E) (``Access by the parent of a 
minor or legal guardian''), describes the additional processes required 
for a legal guardian to request information on behalf of a minor or an 
individual determined by a court of competent jurisdiction to be 
incompetent.
    Proposed paragraphs (d), (e), and (f) includes updates to accept 
remote identity-proofing and authentication when an individual makes a 
request under the Privacy Act.
    Section 1302.3--Responsibility for responding to requests: This 
proposed section, which would include provisions currently codified in 
5 CFR 1302.2(b)(2) (``OMB action on request''), includes revisions to 
reflect the current statutory requirements of 5 U.S.C. 552a.
    Proposed paragraphs (a) and (b) describe how OMB would acknowledge 
a request, including any requests by OMB for additional information 
necessary to process a request.
    Proposed paragraphs (c) and (d) would specify what information OMB 
will provide in response to a written request.
    Section 1302.4--Requests for an Accounting: This proposed section, 
which would include provisions currently codified in 5 CFR 1302.3 
(``Access to the accounting of disclosures from records''), includes a 
few editorial changes but otherwise remains substantively the same as 
the current regulation.
    Section 1302.5--Requests for an Amendment or Correction: This 
proposed section, which would include provisions currently codified in 
5 CFR 1302.4 (``Request to amend records''), adds paragraph (b)(2), 
which provides requesters an alternative address to which to send their 
Privacy Act request for amendment to a record. The requirements for 
notification and timelines in proposed paragraph (c), which would 
include provisions currently located in paragraph (b)(2) (``OMB action 
on the request''), are revised to reflect the current statutory 
requirements of 5 U.S.C. 552a.
    Section 1302.6--Appeals: This proposed section, which would include 
provisions currently codified in 5 CFR 1302.5 (``Request for review''), 
includes a number of updates. For example, requests for review should 
be addressed to the Senior Agency Official for Privacy, who is 
responsible for reviewing requests, consistent with E.O. 13719, OMB 
Circular No. A-130, and OMB's current practices. The requirements for 
notification and timelines in proposed paragraph (d), which would 
include provisions currently codified in 5 CFR 1302.5(g), are revised 
to reflect the current statutory requirements of 5 U.S.C. 552a.
    Section 1302.7--Fees: This proposed section, which would include 
provisions currently codified in 5 CFR 1302.6 (``Schedule of Fees''), 
includes a few editorial changes, but otherwise remains substantively 
the same as the existing regulation.
    General Revisions to 5 CFR part 1303: OMB is proposing limited 
revisions to its FOIA regulations to update the requirements for the 
verification of identity, provide further clarity, and reflect OMB's 
current organizational structure. The revisions to the identity 
verification requirements, while minimal, are significant in that they 
describe OMB's practice of providing requesters the benefit of both the 
Privacy Act and the FOIA. Should a requester fail to provide adequate 
verification of identity under the Privacy Act, the request will 
normally be treated as a FOIA request and subject to the procedures in 
OMB's FOIA regulations at 5 CFR part 1303. Nevertheless, under some 
circumstances, for instance if the requester is not an individual for 
purposes of the Privacy Act or if the record is not maintained in a 
system of records, a FOIA requester may provide verification of 
identity in order to obtain greater access to records that would 
otherwise be exempt under FOIA.
    Section 1303.3--Organization: Proposed paragraph (a)(5) deletes 
``Intellectual Property Enforcement Coordinator'' because this office 
is no longer housed within OMB, and is now a separate office within the 
Executive Office of the President. This proposed paragraph also inserts 
the ``Made in America Office'' as a statutory office in OMB.
    Section 1303.20--Where to send requests: Among other things, this 
proposed section adds ``or the Government-wide FOIA.Gov portal'' to 
account for the ability of members of the public to submit FOIA 
requests through the consolidated online request portal described in 5 
U.S.C. 552(m), currently available at https://www.foia.gov.
    Section 1303.21: This proposed revision would clarify that OMB 
retains discretion to request additional information relating to a FOIA 
request, including verification of identity. When OMB does so it will 
follow the identity verification processes as proposed in the Privacy 
Act regulations.
    Section 1303.30--Responsibility for responding to requests: 
Proposed paragraph (c)(2)(i), concerning situations when OMB refers 
records responsive to FOIA requests to other agencies, clarifies that 
OMB will notify the requester, and will inform them of the agency that 
will be processing the record, so that requesters will be informed when 
a referral is made, not just upon the final determination concerning 
the record. In paragraph (c)(2)(ii), OMB is proposing to revise the 
opening language to clarify that the coordination process is undertaken 
with regard to particular records, and not to the request as a whole, 
and proposing to provide additional language to illustrate 
circumstances under which the coordination process would be 
appropriate.
    Section 1303.40--Timing of responses to requests: Minimal proposed 
revisions are for clarity.
    Section 1303.50--Responses to requests: Among other revisions, 
proposed revisions to paragraph (c) would clarify types of adverse 
determinations, and proposed paragraph (c)(4) adds ``under which the 
withholding is being made'' to clarify which exemption the regulation 
refers to.
    Section 1303.60--Notification procedures for confidential 
commercial information: Proposed paragraph (e)(2) adds ``privileged 
or'' for clarity and consistency with the statutory standard

[[Page 87962]]

for withholding under FOIA Exemption 4, 5 U.S.C. 552(b)(4).
    Section 1303.70--Appeals: Minimal proposed revisions are for 
clarity.
    Section 1303.91--Fees to be charged--general: Among other 
revisions, this proposed section replaces ``(see definition in Sec.  
1303.30(b))'' with ``(see 5 U.S.C. 552(a)(4)(A)(vi))'' because the 
former is an unrelated provision, and the latter forms the statutory 
basis of this language.
    Section 1303.92--Fees to be charged--categories of requesters: 
Proposed paragraphs (a) through (d) replace ``reproduction'' with 
``duplication'' to better match the relevant statutory language. 
Proposed paragraph (d) also replaces ``reproducing'' with ``producing'' 
for clarity, and replaces ``reproduction'' with ``producing copies of 
records'' for clarity.
    Section 1303.93--Miscellaneous fee provisions: Among other 
revisions, proposed paragraph (d)(1) replaces ``payments'' with ``a 
payment'' to clarify that a requester's single failure to pay fees in a 
timely fashion may result in OMB requiring advance payment of 
subsequent fees.

Regulatory Certifications

Regulatory Flexibility Act

    The Director of OMB, in accordance with the Regulatory Flexibility 
Act (5 U.S.C. 605(b)), has reviewed this proposed rule and certifies 
that this proposed rule will not have a significant economic impact on 
a substantial number of small entities. Under the Privacy Act, agencies 
may recover only the direct costs of searching for, reviewing, and 
duplicating the records processed for requesters, and only for certain 
classes of requesters and when particular conditions are satisfied. 
Thus, fees assessed by OMB are nominal.

Executive Orders 12866, 13563, and 14094

    E.O.s 12866 and 13563 direct agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). E.O. 13563 emphasizes the 
importance of quantifying both costs and benefits, of reducing costs, 
of harmonizing rules, and of promoting flexibility. This is not a 
significant regulatory action under section 3(f) of E.O. 12866, as 
amended by E.O. 14094, and, therefore was not subject to review under 
section 6(b) of E.O. 12866.

Unfunded Mandates Reform Act of 1995

    This proposed rule will not result in the expenditure by State, 
local, and tribal governments, in the aggregate, or by the private 
sector, of $100,000,000 or more in any one year, and it will not 
significantly or uniquely affect small governments. Therefore, no 
actions were deemed necessary under the provisions of the Unfunded 
Mandates Reform Act of 1995.

Comments Requested

    Interested persons are invited to provide written comments 
concerning the proposed rule. In particular, comments are requested 
regarding OMB's proposal to require verification of identity through 
approved OMB processes that will be described on OMB's upcoming privacy 
program web page. These regulations do not specify the various methods 
of submitting identity verification information because OMB 
contemplates those methods will change based on evolving market tools 
and the capability of the Government to verify identity. Other methods, 
such as mail and stand-alone facsimile submissions, will continue to be 
available. OMB currently contemplates mail, stand-alone facsimile, 
password protected submissions to a designated email account, digital 
verification for current federal employees, and in-person verification 
for current OMB employees. Comments are requested on each of these 
methods and whether OMB should consider other methods of remote 
identity verification for all requesters.
    Comments are due no later than 30 days after the date of 
publication of this document in the Federal Register. All comments and 
suggestions received will be available for review on Regulations.gov.
    Privacy Act Statement: OMB proposes this rule pursuant to the 
Privacy Act of 1974, as amended, 5 U.S.C. 552a (``Privacy Act'') and 
the Freedom of Information Act, as amended, 5 U.S.C. 552 (``FOIA''). 
Submission of comments is voluntary. The information will be used to 
inform sound decision-making. Please note that all comments received in 
response to this document may be posted or released in their entirety, 
including any personal and business confidential information provided. 
Do not include any information you would not like to be made publicly 
available. Additionally, the OMB System of Records Notice, OMB Public 
Input System of Records, OMB/INPUT/01, 88 FR 20913 (available at 
www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records), includes a list of routine uses associated 
with the collection of this information.

List of Subjects in 5 CFR Parts 1302 and 1303

    Administrative practices and procedures, Archives and records, 
Freedom of information, Privacy.

    For the reasons stated in the preamble, OMB proposes to amend 5 CFR 
parts 1302 and 1303 as follows:

0
1. Revise part 1302 to read as follows:

PART 1302--PRIVACY ACT PROCEDURES

Sec.
1302.1 General provisions.
1302.2 Requirements for making requests for access.
1302.3 Responsibility for responding to requests.
1302.4 Requests for an accounting.
1302.5 Requests for an amendment or correction.
1302.6 Appeals.
1302.7 Fees.

    Authority: 5 U.S.C. 552a.


Sec.  1302.1  General provisions.

    (a) Purpose and scope. This part implements the rules that the 
Office of Management and Budget (OMB) follows under the Privacy Act of 
1974, codified as amended at 5 U.S.C. 552a (Privacy Act). This part 
applies to all records in systems of records maintained by OMB that are 
retrieved by an individual's name or personal identifier. This part 
describes the procedures by which individuals may request access to 
records about themselves, request amendment or correction of those 
records, and request an accounting of disclosures of those records by 
OMB.
    (b) Definitions. As used in this part:
    Request for access to a record means a request made under 5 U.S.C. 
552a(d)(1).
    Request for amendment or correction of a record means a request 
made under 5 U.S.C. 552a(d)(2).
    Request for an accounting means a request made under 5 U.S.C. 
552a(c)(3).
    Requester means an individual who makes a request for access, a 
request for amendment or correction, or a request for an accounting 
under the Privacy Act. The Privacy Act defines an ``individual'' as a 
citizen of the United States or an alien lawfully admitted for 
permanent residence.
    System manager means the OMB official identified in a system of 
records notice as the manager of a system of records; and for 
Government-wide systems of records, the individual

[[Page 87963]]

designated by the agency to act on behalf of the system manager.
    (c) Providing written consent to disclose records protected under 
the Privacy Act. OMB may disclose any record contained in a system of 
records by any means of communication to any person, or to another 
agency, pursuant to a written request by, or with the prior written 
consent of, the individual about whom the record pertains. An 
individual must verify the individual's identity in the same manner as 
required by Sec.  1302.2(d) when providing written consent to disclose 
a record protected under the Privacy Act and pertaining to the 
individual.


Sec.  1302.2  Requirements for making requests for access.

    (a) How made and addressed. You may make a Privacy Act request for 
access to an OMB record by submitting a request in writing to Privacy 
Officer, Office of Management and Budget, 725 17th Street NW, Room 
9204, Washington, DC 20503 or by email at [email protected] or by any 
other means described on OMB's privacy web page.
    (b) Description of the records sought. In making a request for 
access, you must describe the records that you want in enough detail to 
enable OMB to locate the system of records containing them with a 
reasonable amount of effort. Your access request should name the system 
of records or contain a concise description of such system of records. 
OMB publishes notices of OMB systems of records subject to the Privacy 
Act in the Federal Register.
    (c) Information about yourself. Your access request should also 
contain sufficient information to identify yourself in order to allow 
OMB to determine if there is a record pertaining to you in a particular 
system of records.
    (d) Verification of identity. To ensure that information about you 
is disclosed only to you or your authorized representative, you are 
required to verify your identity when making a Privacy Act request for 
access, as detailed in paragraphs (d)(1) through (3) of this section. 
If OMB cannot verify your identity, disclosure will be limited to 
information that would be required to be made available if requested 
under 5 U.S.C. 552 by any person.
    (1) You must state your name, current address, and date and place 
of birth and provide either a notarized statement of identity or a 
signed submission under 28 U.S.C. 1746; or
    (2) When available, verify your identity through remote identity-
proofing and authentication using digital processes.
    (3) OMB may require you to supply additional information as 
necessary in order to verify your identity.
    (e) Verification of guardianship. When making a request for access 
as the parent or guardian of a minor or as the guardian of someone 
determined by a court of competent jurisdiction to be incompetent, for 
access to records about that individual, you must establish the 
criteria listed in paragraphs (e)(1) through (4) of this section. If 
OMB cannot verify your identity, disclosure will be limited to 
information that would be required to be made available if requested 
under 5 U.S.C. 552 by any person.
    (1) The identity of the individual who is the subject of the 
record, by stating the name, current address, and date and place of 
birth;
    (2) Your own identity, as required in this paragraph (e);
    (3) That you are the parent or guardian of that individual, which 
you may prove by providing a copy of the individual's birth certificate 
showing your parentage or by providing a court order establishing your 
guardianship; and
    (4) That you are acting on behalf of that individual in making the 
request.
    (f) Submit identifying information only using approved OMB 
processes. In order to safeguard information you submit in making a 
request for access for purposes of verifying your identity or verifying 
guardianship, or any information about yourself that may assist in the 
rapid identification of the record to which you are requesting access 
(e.g., prior names, dates of employment, etc.) as well as any other 
identifying information contained in an OMB system of records, you must 
use one of OMB's approved processes as described on OMB's Privacy web 
page. Failure to submit identifying information through an OMB approved 
process may result in the failure to expunge your information in 
accordance with approved OMB records schedules after your access 
request has been processed.
    (g) Subsequent requests for access. If your request for access 
follows a prior request under this section, and you already provided 
appropriate verifications with that prior request, you do not need to 
include the same verification or identifying information in the 
subsequent request for access if you reference that prior request or 
attach a copy of the OMB response to that request.


Sec.  1302.3  Responsibility for responding to requests.

    (a) Acknowledgment of requests. OMB will acknowledge your request 
for access in writing and provide an individualized tracking number. 
Upon request, OMB will make information available to you about the 
status of your request using the assigned tracking number.
    (b) Timing of responses to a Privacy Act request for access. OMB 
will respond to Privacy Act requests for access to records according to 
the order in which OMB receives the requests. Consistent with OMB's 
FOIA procedures at 5 CFR 1303.40(b), OMB may designate multiple 
processing tracks that distinguish between simple and more complex 
Privacy Act requests for access, based on the estimated amount of work 
or time needed to process the request.
    (c) Additional information. If, after receiving a request, OMB 
determines that your request does not reasonably describe the records 
sought, OMB will inform you what additional information is needed and 
why the request is otherwise insufficient. If a request does not 
reasonably describe the records sought, OMB's response to the request 
may be delayed.
    (d) Grant of request for access. Once OMB makes a determination to 
grant a request for access, OMB will provide you a written response, 
which may include the following:
    (1) A statement as to whether OMB will grant access by providing a 
copy of the record through electronic means or the mail; and
    (2) The amount of fees charged, if any (see Sec.  1302.7). (Fees 
are applicable only to requests for duplicates.)
    (e) Adverse determination of request for access. OMB will notify 
you of an adverse determination denying a request for access in 
writing. Adverse determinations, or denials of requests, consist of: A 
determination to withhold any requested record in whole or in part; a 
determination that a requested record does not exist or cannot be 
located; a determination that what has been requested is not a record 
subject to the Privacy Act; a determination on any disputed fee matter; 
or a denial of a request for expedited treatment. OMB's notification 
letter to you will include:
    (1) The decision of OMB whether to grant in whole, or deny any part 
of the request;
    (2) The reasons for the determination for any portion of the 
request that is denied; and
    (3) A description of the procedure by which the OMB decision to 
deny your request may be appealed, including the

[[Page 87964]]

name and address of the official with whom you may lodge such an 
appeal.


Sec.  1302.4  Requests for an accounting.

    You may request an accounting of disclosures by the same rules 
governing requests for access, outlined in Sec.  1302.2.


Sec.  1302.5  Requests for an amendment or correction.

    (a) Requirement for written requests. If you want to amend a record 
that pertains to you in a system of records maintained by OMB, you must 
submit your request in writing following the procedures established in 
this section unless the system manager waives the requirements in this 
section. OMB is not required to amend records that are not subject to 
the Privacy Act of 1974. However, individuals who believe that such 
records are inaccurate may bring this to the attention of OMB.
    (b) Procedures. (1) You should address your request to amend a 
record in a system of records to the system manager. You should include 
the name of the system and a brief description of the record proposed 
for amendment. If the request to amend the record is the result of you 
gaining access to the record in accordance with the provisions 
concerning access to records as set forth in Sec.  1302.2, you may 
attach a copy of previous correspondence between you and OMB instead of 
providing a separate description of the record.
    (2) If a requester cannot determine where within OMB to send the 
Privacy Act request to amend a record, the requester may send it to 
Privacy Officer, Office of Management and Budget, 725 17th Street NW, 
Room 9204, Washington, DC 20503 or by email at [email protected]. OMB 
will forward the request to the component(s) it believes most likely to 
have the relevant records. For the quickest possible handling, the 
requester should specify on either the letter and envelope, or in the 
email subject line, as applicable, ``Privacy Act Record Amendment 
Request.''
    (3) You must validate your identity as described in Sec.  
1302.2(e). If OMB has previously verified your identity pursuant to 
Sec.  1302.2(e), further verification of identity is not required as 
long as the communication does not suggest that a need for verification 
is present.
    (4) You should clearly indicate the exact portion of the record you 
seek to have amended. If possible, you should also propose alternative 
language, or at a minimum, identify the facts that you believe are not 
accurate, relevant, timely, or complete, with such particularity as to 
permit OMB not only to understand the basis for your request, but also 
to make an appropriate amendment to the record.
    (5) Your request must also state why you believe your record is not 
accurate, relevant, timely, or complete. The burden of persuading OMB 
to amend a record will be upon you. You must furnish sufficient facts 
to persuade the official in charge of the system of the inaccuracy, 
irrelevancy, timeliness, or incompleteness of the record.
    (6) OMB will not categorically reject incomplete or inaccurate 
requests. OMB will ask you to clarify the request as needed.
    (c) OMB action on the request. (1) OMB will acknowledge, in 
writing, receipt of a request to amend a record within 10 business days 
(i.e., excluding Saturdays, Sundays, and legal Federal holidays) of 
OMB's receipt.
    (2) OMB will promptly respond to a Privacy Act request for 
amendment or correction. OMB ordinarily will respond to Privacy Act 
requests for amendment or correction according to their order of 
receipt. Consistent with OMB's FOIA procedures at 5 CFR 1303.40(b), OMB 
may designate multiple processing tracks that distinguish between 
simple and more complex Privacy Act requests for amendment or 
correction, based on the estimated amount of work or time needed to 
process the request. The response reflecting the decision upon a 
request for amendment will include the following:
    (i) The decision of OMB whether to grant in whole, or deny any part 
of, the request to amend the record;
    (ii) The reasons for the determination for any portion of the 
request which is denied; and
    (iii) A description of the procedure by which the OMB decision to 
deny your request may be appealed, including the name and address of 
the official with whom you may lodge such an appeal.


Sec.  1302.6  Appeals.

    (a) If you wish to appeal a decision by OMB with regard to your 
request to access or amend a record in accordance with the provisions 
of Sec. Sec.  1302.2 and 1302.5, you should submit the appeal in 
writing and, to the extent possible, include the information specified 
in paragraph (b) of this section.
    (b) Your appeal should contain a brief description of the record 
involved or copies of the correspondence from OMB in which the request 
to access or to amend was denied and also the reasons why you believe 
that access should be granted or the information amended, as relevant. 
Your appeal should refer to the information you furnished in support of 
your claim and the reasons set forth by OMB in its decision denying 
access or amendment, as required by Sec. Sec.  1302.2 and 1302.5. In 
order to make the appeal process as meaningful as possible, you should 
set forth your disagreement in an understandable manner. In order to 
avoid the unnecessary retention of personal information, OMB reserves 
the right to dispose of the material concerning the request to access 
or amend a record if OMB receives no appeal in accordance with this 
section within 180 days of the sending by OMB of its decision upon an 
initial request. OMB may treat an appeal received after the 180-day 
period as an initial request to access or amend a record.
    (c) You should address your appeal to the Senior Agency Official 
for Privacy.
    (d) The Senior Agency Official for Privacy will review a refusal to 
amend a record within 30 business days (excluding Saturdays, Sundays, 
and legal Federal holidays) from the date on which the individual 
requests such review, unless the OMB Director extends the 30-day period 
for good cause. If the Senior Agency Official for Privacy's decision 
does not grant in full the request, the notice of the decision will 
describe the steps you may take to obtain judicial review of such a 
decision.


Sec.  1302.7  Fees.

    (a) Prohibitions against charging fees for Privacy Act requests. 
OMB will not charge you for:
    (1) The search and review of requests for records subject to this 
part;
    (2) Any copies of the record produced as a necessary part of the 
process of making the record available for access; or
    (3) Any copies of the requested record when OMB determines that the 
only way you can access the record is by providing a copy to you 
through the mail.
    (b) Waiver. OMB may at no charge provide copies of a record if it 
is determined the production of the copies is in the interest of the 
Government.
    (c) Fee schedule and method of payment. OMB will charge fees as 
provided in paragraphs (c)(1) through (5) of this section except as 
provided in paragraphs (a) and (b) of this section.
    (1) OMB will duplicate records at a rate of $.10 per page for all 
copying of 4 pages or more. There is no charge for duplication 3 or 
fewer pages.
    (2) Where OMB anticipates that the fees chargeable under this 
section will amount to more than $25.00, OMB shall promptly notify you 
of the amount of the anticipated fee or such portion thereof as can 
readily be estimated. If

[[Page 87965]]

the estimated fees will greatly exceed $25.00, OMB may require an 
advance deposit. OMB's request for an advance deposit shall extend an 
offer to the requester to consult with OMB personnel in order to 
reformulate the request in a manner which will reduce the fees, yet 
still meet the needs of the requester.
    (3) You should pay fees in full before the requested copies are 
issued. If the requester is in arrears for previous requests, OMB will 
not provide copies for any subsequent request until the arrears have 
been paid in full.
    (4) Remittances shall be in the form either of a personal check or 
bank draft drawn on a bank in the United States, or a postal money 
order. Remittances shall be made payable to the order of the Treasury 
of the United States and mailed or delivered to the Assistant Director 
for Management and Operations, Office of Management and Budget, 
Washington, DC 20503.
    (5) OMB will provide a receipt for fees paid upon request.

PART 1303--PUBLIC INFORMATION PROVISIONS OF THE ADMINISTRATIVE 
PROCEDURES ACT

0
2. The authority citation for part 1303 continues to read as follows:

    Authority: 5 U.S.C. 301 and 5 U.S.C. 552, unless otherwise 
noted.

0
3. Amend Sec.  1303.3 by revising paragraph (a)(5) to read as follows:


Sec.  1303.3  Organization.

    (a) * * *
    (5) Statutory offices include the Office of Federal Financial 
Management; Office of Federal Procurement Policy; Office of E-
government and Information Technology; Made in America Office; and 
Office of Information and Regulatory Affairs.
* * * * *
0
4. Revise Sec.  1303.20 to read as follows:


Sec.  1303.20  Where to send requests.

    The FOIA Officer is responsible for acting on all initial requests. 
Individuals wishing to file a request under the FOIA should address 
their request in writing to FOIA Officer, Office of Management and 
Budget, 725 17th Street NW, Room 9272, Washington, DC 20503, via fax to 
(202) 395-3504, by email at [email protected], or the Government-wide 
FOIA.Gov portal. Requesters must provide contact information sufficient 
to enable OMB to communicate with the requester. Additionally, OMB's 
FOIA Public Liaison is available to assist requesters who have 
questions and can be reached at (202) 395-FOIA or in writing at the 
address provided in this section.
0
5. Revise Sec.  1303.21 to read as follows:


Sec.  1303.21  Requesters making requests about themselves or on behalf 
of others.

    In order to obtain greater access to records, a requester who is 
making a request for records about the requester or on behalf of 
another individual must comply with the verification of identity 
requirements as determined by OMB pursuant to OMB's requirements for 
making requests for access in 5 CFR part 1302. OMB may require a 
requester to supply additional information as necessary in order to 
verify the identity of the requester or to verify that a particular 
individual has consented to disclosure.
0
6. Amend Sec.  1303.30 by revising paragraphs (c)(2)(i) and (ii) to 
read as follows:


Sec.  1303.30  Responsibility for responding to requests.

* * * * *
    (c) * * *
    (2) * * *
    (i) When OMB believes that a different agency is best able to 
determine whether to disclose the record, OMB will refer the 
responsibility for responding to the request regarding that record to 
that agency, will notify the requester, and will inform them of the 
agency which will be processing the record, including that agency's 
FOIA contact information. Ordinarily, the agency that originated the 
record is best situated to make the disclosure determination. However, 
if OMB and the originating agency jointly agree that OMB is in the best 
position to respond regarding the record, then OMB may respond to the 
requester.
    (ii) When OMB believes that a different agency is best able to 
determine whether to disclose the record, but also believes that 
disclosure of the identity of the different agency could harm an 
interest protected by an applicable FOIA exemption, such as the 
exemptions that protect personal privacy or national security 
interests, OMB will coordinate with the originating agency to seek its 
views on the disclosability of the record and convey the release 
determination for the record that is the subject of the coordination to 
the requester. For example, if a non-law enforcement agency responding 
to a request for records on a living third party locates within its 
files records originating with a law enforcement agency, and if the 
existence of that law enforcement interest in the third party was not 
publicly known, then to disclose that law enforcement interest could 
cause an unwarranted invasion of the personal privacy of the third 
party. Similarly, if an agency locates within its files material 
originating with an Intelligence Community agency, and the involvement 
of that agency in the matter is classified and not publicly 
acknowledged, then to disclose or give attribution to the involvement 
of that Intelligence Community agency could cause national security 
harms.
0
7. Amend Sec.  1303.40 by revising paragraphs (e)(1)(iv) and (e)(4) to 
read as follows:


Sec.  1303.40  Timing of responses to requests.

* * * * *
    (e) * * *
    (1) * * *
    (iv) There are possible questions, in a matter of widespread and 
exceptional public interest, about the Government's integrity which 
affect public confidence.
* * * * *
    (4) OMB will decide whether to grant a request for expedited 
processing and will notify the requester within 10 calendar days after 
the date of the request. If a request for expedited treatment is 
granted, OMB will prioritize the underlying FOIA request, place the 
request in the processing track for expedited requests, and process the 
request as soon as practicable. If a request for expedited processing 
is denied, any appeal of that decision will be acted on expeditiously.
0
8. Amend Sec.  1303.50 by revising paragraphs (a), (c) introductory 
text, and (c)(4) to read as follows:


Sec.  1303.50  Responses to requests.

    (a) Acknowledgments of requests. OMB will assign an individualized 
tracking number to each request received that will take longer than ten 
days to process; and acknowledge each request, informing the requester 
of their tracking number if applicable; and, upon request, make 
available information about the status of a request to the requester 
using the assigned tracking number, including--
    (1) The date on which OMB originally received the request; and
    (2) An estimated date on which OMB will complete action on the 
request.
* * * * *
    (c) Adverse determinations of requests. Adverse determinations, or 
denials of requests, include decisions that the requested record is 
exempt, in whole or in part; the request does not reasonably describe 
the records sought; the information requested is not a record subject 
to the FOIA; the requested record does not exist, cannot

[[Page 87966]]

be located, or has been destroyed; or the requested record is not 
readily reproducible in the form or format sought by the requester. 
Adverse determinations also include denials involving fees or fee 
waiver matters or denials of requests for expedited processing. In the 
case of an adverse determination, the FOIA Officer will immediately 
notify the requester of--
* * * * *
    (4) OMB's estimate of the volume of any requested records OMB is 
withholding, unless providing such estimate would harm an interest 
protected by the exemption in 5 U.S.C. 552(b) under which the 
withholding is being made.
0
9. Amend Sec.  1303.60 by revising paragraphs (a)(2) and (e)(2) to read 
as follows:


Sec.  1303.60  Notification procedures for confidential commercial 
information.

    (a) * * *
    (2) Submitter means any person or entity, including a corporation, 
State, or foreign government, but not including another Federal 
Government entity, that provides confidential commercial information, 
either directly or indirectly, to the Federal Government.
* * * * *
    (e) * * *
    (2) If a submitter has any objections to disclosure, it should 
provide OMB a detailed written statement that specifies all grounds for 
withholding the particular information under any exemption of the FOIA. 
In order to rely on Exemption 4 as basis for nondisclosure, the 
submitter must explain why the information constitutes a trade secret 
or commercial or financial information that is privileged or 
confidential. OMB is not required to consider any information received 
after the date of any disclosure decision.
* * * * *
0
10. Amend Sec.  1303.70 by revising paragraph (a) to read as follows:


Sec.  1303.70  Appeals.

    (a) A requester must appeal to the head of OMB in writing within 90 
calendar days after the date of such adverse determination addressed to 
the FOIA Officer at the address specified in Sec.  1303.20. The appeal 
must include a statement explaining the basis for the appeal. 
Determinations of appeals will be set forth in writing and signed by 
the Deputy Director, or their designee, within 20 working days. If on 
appeal the denial is upheld in whole or in part, the written 
determination will also contain a notification of the provisions for 
judicial review, the names of the persons who participated in the 
determination, and notice of the services offered by OGIS as a non-
exclusive alternative to litigation.
* * * * *
0
11. Amend Sec.  1303.91 by revising the introductory text and paragraph 
(i) to read as follows:


Sec.  1303.91  Fees to be charged--general.

    OMB will charge fees that recoup the full allowable direct costs it 
incurs. Moreover, it will use the most efficient and least costly 
methods to comply with requests for documents made under the FOIA. For 
example, employees should not engage in line-by-line search when merely 
duplicating an entire document would prove the less expensive and 
quicker method of complying with a request. Search should be 
distinguished, moreover, from review of material in order to determine 
whether the material is exempt from disclosure. When documents that 
would be responsive to a request are maintained for distribution by 
agencies operating statutory-based fee schedule programs (see 5 U.S.C. 
552(a)(4)(A)(vi)), such as the National Technical Information Service, 
OMB will inform requesters of the steps necessary to obtain records 
from those sources.
* * * * *
    (i) No Fees under $25. No fee will be charged when the total fee, 
after deducting the first 100 free pages (or its cost equivalent) and 
the first two hours of search, is equal to or less than $25. If OMB 
estimates that the charges are likely to exceed $25, it will notify the 
requester of the estimated amount of fees, unless the requester has 
indicated in advance their willingness to pay fees as high as those 
anticipated. Such a notice shall offer a requester the opportunity to 
confer with agency personnel to meet the requester's needs at a lower 
cost.
0
12. Amend Sec.  1303.92 by revising paragraphs (a) through (d) to read 
as follows:


Sec.  1303.92  Fees to be charged--categories of requesters.

* * * * *
    (a) Commercial use requesters. When OMB receives a request for 
documents for commercial use, it will assess charges that recover the 
full direct costs of searching for, reviewing for release, and 
duplicating the record sought. Commercial use requesters are not 
entitled to two hours of free search time nor 100 free pages of 
duplication of documents. OMB may recover the cost of searching for and 
reviewing records even if there is ultimately no disclosure of records 
(see Sec.  1303.93(b)).
    (b) Educational and non-commercial scientific institution 
requesters. OMB will provide documents to requesters in this paragraph 
(b) for the cost of duplication alone, excluding charges for the first 
100 pages. To be eligible for inclusion in this paragraph (b), a 
requester must meet the criteria in Sec.  1303.90(g) or (h). OMB may 
seek evidence from the requester that the request is in furtherance of 
scholarly research and will advise requesters of their placement in 
this paragraph (b).
    (c) Requesters who are representatives of the news media. OMB will 
provide documents to requesters in this paragraph (c) for the cost of 
duplication alone, excluding charges for the first 100 pages. To be 
eligible for inclusion in this paragraph (c), a requester must meet the 
criteria in Sec.  1303.90(i) and (j) and not make the request for 
commercial use. A request for records supporting the news dissemination 
function of the requester is not a commercial use for this paragraph 
(c).
    (d) All other requesters. OMB will charge requesters who do not fit 
into any of the categories in paragraphs (a) through (c) of this 
section fees that recover the full reasonable direct cost of searching 
for and producing records that are responsive to the request, except 
that the first 100 pages of duplication and the first two hours of 
search time will be furnished without charge. Moreover, requests for 
records about the requesters filed in OMB's systems of records will 
continue to be treated under the fee provisions of the Privacy Act of 
1974, which permit fees only for producing copies of records.
0
13. Amend Sec.  1303.93 by revising paragraph (a), the first sentence 
of paragraph (c), and paragraph (d)(1) to read as follows:


Sec.  1303.93  Miscellaneous fee provisions.

    (a) Charging interest--notice and rate. OMB may begin assessing 
interest charges on an unpaid bill starting on the 31st day after OMB 
sends the bill. If OMB receives the fee within the thirty-day grace 
period, interest will not accrue on the paid portion of the bill, even 
if the payment is unprocessed. Interest will be at the rate prescribed 
in 31 U.S.C. 3717 and will accrue from the date of the billing.
* * * * *
    (c) * * * When OMB reasonably believes that a requester, or a group 
of requesters acting in concert, is attempting to divide a single 
request into a series of requests for the purpose of avoiding fees, OMB 
may aggregate those requests and charge fees accordingly. * * *
    (d) * * *

[[Page 87967]]

    (1) OMB will not require a requester to make an advance payment, 
i.e., payment before work is commenced or continued on a request, 
unless OMB estimates or determines that allowable charges that a 
requester may be required to pay will exceed $250 or the requester has 
previously failed to make a payment due within 30 days of billing.
* * * * *

Shraddha A. Upadhyaya,
Associate General Counsel, Office of Management and Budget.
[FR Doc. 2023-27473 Filed 12-19-23; 8:45 am]
BILLING CODE 3110-01-P