Privacy Act Regulations, 1447-1457 [2024-00282]
Download as PDF
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
1447
CALCULATION OF ADJUSTMENTS TO MAXIMUM CIVIL MONETARY PENALTIES—Continued
Description
16 CFR 1.98(m): 15 U.S.C. 1681s(a)(2) ......
16 CFR 1.98(n): 21 U.S.C. 355 note ...........
16 CFR 1.98(o): 42 U.S.C. 17304 ................
Knowing violations ........................................
Non-compliance with filing requirements .....
Market manipulation or provision of false information to federal agencies.
Effective Dates of New Penalties
PART 1—GENERAL PROCEDURES
These new penalty levels apply to
civil penalties assessed after the
effective date of the applicable
adjustment, including civil penalties
whose associated violation predated the
effective date.6 These adjustments do
not retrospectively change previously
assessed or enforced civil penalties that
the FTC is actively collecting or has
collected.
Subpart L—Civil Penalty Adjustments
Under the Federal Civil Penalties
Inflation Adjustment Act of 1990, as
Amended
■
Procedural Requirements
§ 1.98 Adjustment of civil monetary
penalty amounts.
The FCPIAA, as amended, directs
agencies to adjust civil monetary
penalties through rulemaking and to
publish the required inflation
adjustments in the Federal Register,
notwithstanding section 553 of title 5 in
the United States Code. Pursuant to this
congressional mandate, prior public
notice and comment under the APA and
a delayed effective date are not required.
For this reason, the requirements of the
Regulatory Flexibility Act (‘‘RFA’’) also
do not apply.7 Further, this rule does
not contain any collection of
information requirements as defined by
the Paperwork Reduction Act of 1995 as
amended. 44 U.S.C. 3501 et seq.
Pursuant to the Congressional Review
Act (5 U.S.C. 801 et seq.), the Office of
Information and Regulatory Affairs
designated this rule as not a ‘‘major
rule,’’ as defined by 5 U.S.C. 804(2).
List of Subjects for 16 CFR Part 1
Administrative practice and
procedure, Penalties, Trade practices.
Text of Amendments
For the reasons set forth in the
preamble, the Federal Trade
Commission amends 16 CFR part 1 as
follows:
lotter on DSK11XQN23PROD with RULES1
2023 Penalty
level
Citation
6 28
U.S.C. 2461 note at (6).
regulatory flexibility analysis under the RFA
is required only when an agency must publish a
notice of proposed rulemaking for comment. See 5
U.S.C. 603.
7A
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
1. The authority citation for subpart L
continues to read as follows:
Authority: 28 U.S.C. 2461 note.
■
2. Revise § 1.98 to read as follows:
This section makes inflation
adjustments in the dollar amounts of
civil monetary penalties provided by
law within the Commission’s
jurisdiction. The following maximum
civil penalty amounts apply only to
penalties assessed after January 10,
2024, including those penalties whose
associated violation predated January
10, 2024.
(a) Section 7A(g)(1) of the Clayton
Act, 15 U.S.C. 18a(g)(1)—$51,744;
(b) Section 11(l) of the Clayton Act, 15
U.S.C. 21(l)—$27,491;
(c) Section 5(l) of the FTC Act, 15
U.S.C. 45(l)—$51,744;
(d) Section 5(m)(1)(A) of the FTC Act,
15 U.S.C. 45(m)(1)(A)—$51,744;
(e) Section 5(m)(1)(B) of the FTC Act,
15 U.S.C. 45(m)(1)(B)—$51,744;
(f) Section 10 of the FTC Act, 15
U.S.C. 50—$680;
(g) Section 5 of the Webb-Pomerene
(Export Trade) Act, 15 U.S.C. 65—$680;
(h) Section 6(b) of the Wool Products
Labeling Act, 15 U.SC. 68d(b)—$680;
(i) Section 3(e) of the Fur Products
Labeling Act, 15 U.S.C. 69a(e)—$680;
(j) Section 8(d)(2) of the Fur Products
Labeling Act, 15 U.S.C. 69f(d)(2)—$680;
(k) Section 333(a) of the Energy Policy
and Conservation Act, 42 U.S.C.
6303(a)—$560;
(l) Sections 525(a) and (b) of the
Energy Policy and Conservation Act, 42
U.S.C. 6395(a) and (b), respectively—
$27,491 and $51,744, respectively;
(m) Section 621(a)(2) of the Fair
Credit Reporting Act, 15 U.S.C.
1681s(a)(2)—$4,857;
(n) Section 1115(a) of the Medicare
Prescription Drug Improvement and
Modernization Act of 2003, Public Law
PO 00000
Frm 00009
Fmt 4700
Sfmt 4700
Adjustment
multiplier
4,705
17,719
1,426,319
2024 Penalty level
(rounded to the
nearest dollar)
1.03241
1.03241
1.03241
4,857
18,293
1,472,546
108–173, as amended by Public Law
115–263, 21 U.S.C. 355 note—$18,293;
(o) Section 814(a) of the Energy
Independence and Security Act of 2007,
42 U.S.C. 17304—$1,472,546; and
(p) Civil monetary penalties
authorized by reference to the Federal
Trade Commission Act under any other
provision of law within the jurisdiction
of the Commission—refer to the
amounts set forth in paragraphs (c), (d),
(e) and (f) of this section, as applicable.
By direction of the Commission.
Joel Christie,
Acting Secretary.
[FR Doc. 2024–00301 Filed 1–9–24; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF JUSTICE
28 CFR Part 16
[CPCLO Order No. 12–2021; AG Order No.
5851–2024]
RIN 1105–AB66
Privacy Act Regulations
United States Department of
Justice.
ACTION: Final rule.
AGENCY:
This rule amends the United
States Department of Justice (‘‘DOJ’’ or
‘‘Department’’) Privacy Act
implementation regulations, including
its Privacy Act record access and
amendment procedures. Additionally,
this rule includes procedures regarding
processing Privacy Act requests to
access or amend covered records, as
designated under the Judicial Redress
Act of 2015, and expands protections on
the Department’s maintenance of Social
Security account numbers, in
accordance with the Social Security
Number Fraud Prevention Act of 2017.
DATES: This final rule is effective
February 9, 2024.
FOR FURTHER INFORMATION CONTACT:
Katherine Harman-Stokes, Acting
Director, U.S. Department of Justice,
Office of Privacy and Civil Liberties,
Two Constitution Square, 145 N Street
NE, Suite 8W.300, Washington, DC
SUMMARY:
E:\FR\FM\10JAR1.SGM
10JAR1
1448
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
20530, telephone (202) 514–0208 (not a
toll-free call).
SUPPLEMENTARY INFORMATION:
I. Public Participation
The Department received no
comments in response to the notice of
proposed rulemaking for the revision of
the Department of Justice Privacy Act
regulations published on January 6,
2023, 88 FR 1012, and now finalizes this
rule without changes.
lotter on DSK11XQN23PROD with RULES1
II. Overview of the Department’s
Privacy Act of 1974 Implementation
Regulations
The Privacy Act of 1974, as amended,
5 U.S.C. 552a (‘‘Privacy Act’’),
establishes certain agency
responsibilities and individual rights
regarding the collection, use,
maintenance, and disclosure of records
about individuals. To carry out these
rights, the Privacy Act requires agencies
to promulgate rules that will: (1)
establish procedures whereby an
individual can be notified if any system
of records named by the individual
contains a record pertaining to that
individual; (2) define reasonable times,
places, and requirements for identifying
an individual who requests a record or
information pertaining to the individual
before the agency shall make the record
or information available; (3) establish
procedures for the disclosure to an
individual upon request of a record or
information pertaining to the
individual, including special
procedures, if deemed necessary, for the
disclosure to an individual of medical
records pertaining to the individual; (4)
establish procedures for reviewing a
request from an individual concerning
the amendment of any record or
information pertaining to the
individual, for making a determination
on the request, for an appeal within the
agency of an initial adverse agency
determination, and for whatever
additional means may be necessary for
each individual to exercise fully the
individual’s rights under the Privacy
Act; and (5) establish fees to be charged,
if any, to any individual for making
copies of records pertaining to the
individual, excluding the cost of any
search for and review of the record. 5
U.S.C. 552a(f).
The Department’s Privacy Act
regulations are promulgated at title 28,
part 16, subpart D, Code of Federal
Regulations. While existing procedures
have largely remained the same, certain
amendments are required to ensure the
Department’s Privacy Act regulations
reflect changes in the law, as well as in
the Department’s practices.
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
III. Discussion of Changes
A. Relationship to the Freedom of
Information Act
The Department continues to process
all Privacy Act requests for access to
records under the Freedom of
Information Act (‘‘FOIA’’), 5 U.S.C. 552,
following the rules contained in subpart
A of part 16, thus giving requesters the
benefit of both statutes. The updates to
subpart D, in particular 28 CFR 16.41
through 16.45, better align the FOIA and
Privacy Act request-for-access
procedures. For example, updates to 28
CFR 16.42 align the consultation,
referral, and coordination procedures
with the FOIA procedures under 28 CFR
16.4, subject to certain deviations to
comply with Privacy Act requirements.
Updates to 28 CFR 16.42 through 16.43
align the re-routing of misdirected
Privacy Act requests for access
procedures, the procedures for
determining which component is
responsible for responding to a request,
and the timing for those responses, with
the FOIA procedures contained in 28
CFR part 16, subpart A. Finally, similar
to the FOIA procedures, components are
encouraged, to the extent practicable, to
communicate with requesters having
access to the internet using electronic
means, such as by email or through a
web portal.
B. Updates to the Privacy Act Requestfor-Access Procedures
The changes set forth in this rule
update the Department’s Privacy Act
request-for-access procedures to more
accurately reflect existing practices.
First, the rules clarify that the
Department has a decentralized system
for responding to Privacy Act requests
for access, by informing requesters that
they may make a Privacy Act request for
access by writing directly to the
component that maintains the record. 28
CFR 16.41(a)(1). The updates remove
the requirement that a requester send or
deliver requests to Department field
offices, and instead requires requesters
to send or deliver requests to the
component’s office at the address listed
in appendix I to 28 CFR part 16, or in
accordance with the access procedures
outlined in the corresponding System of
Records Notice. 28 CFR 16.41(a)(2).
Additionally, the updates remove
explicit references to in-person Privacy
Act requests for access because such
requests have become generally
impracticable for members of the public.
That said, the new procedures explicitly
state that a requester may request a
record in a particular form or format, 28
CFR 16.41(b), and components will
honor a requester’s preference where the
PO 00000
Frm 00010
Fmt 4700
Sfmt 4700
record is readily reproducible by the
component in the form or format
requested, 28 CFR 16.43(a). This would
continue to permit a member of the
public to request access to the member’s
records in-person when components can
provide a copy of the record for inperson inspection.
C. Updates to the Privacy Act
Procedures for Requests for Amendment
or Correction
The rule updates the Department’s
procedures for requesting amendment or
correction of records under the Privacy
Act, in accordance with existing
practices. First, the rule would
explicitly set out the timing for
components to respond to a Privacy Act
request for amendment or correction. 28
CFR 16.46(b). In accordance with the
Privacy Act, 5 U.S.C. 552a(d)(2),
components responsible for responding
to a Privacy Act request for amendment
or correction must acknowledge, in
writing, the receipt of the request no
later than ten (10) working days after
receipt, and must promptly grant or
refuse to grant the request. 28 CFR
16.46(b)(1). The rule authorizes
components to designate multiple
processing tracks that distinguish
between simple and more complex
Privacy Act requests for amendment or
correction, consistent with the Privacy
Act request-for-access procedures. 28
CFR 16.46(b)(3). The rule requires
components to provide additional
content in the response that components
must provide when refusing to grant a
Privacy Act request for amendment or
correction. 28 CFR 16.46(e). Finally, the
rule updates the list of records not
subject to amendment or correction. 28
CFR 16.46(i).
D. Privacy Act Access Appeals and
Privacy Act Amendment Appeals
The rule updates the Department’s
Privacy Act administrative appeal
procedures to align with existing
practices. First, the rules clarify that a
refusal to grant a Privacy Act request for
access or Privacy Act request for
amendment or correction is subject to
an administrative appeal, and provides
examples of what commonly qualifies as
a refusal to grant a Privacy Act request.
28 CFR 16.45 through 16.46. The rule
clarifies that the Attorney General has
designated the Director of the Office of
Information Policy, or the Director’s
designee, with the responsibility for
adjudicating Privacy Act access appeals,
28 CFR 16.45(b)(1), and the DOJ Chief
Privacy and Civil Liberties Officer
(‘‘CPCLO’’), or the CPCLO’s designee,
with the responsibility for adjudicating
E:\FR\FM\10JAR1.SGM
10JAR1
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
Privacy Act amendment appeals. 28
CFR 16.46(f)(1).
E. Safeguards and Employee Code of
Conduct
The rule updates the Department’s
Privacy Act record safeguard
requirements and employee conduct
requirements to reflect updated
standards of practice. First, the updates
clarify that the Department’s
administrative, technical, and physical
controls in place for its systems of
records are consistent with applicable
Department and government-wide laws,
regulations, policies, and standards,
including but not limited to those
required for the security of Department
information systems. 28 CFR 16.51.
Second, the updates require Department
employees to read, acknowledge, and
agree to abide by the Department of
Justice rules of behavior for accessing,
collecting, using, maintaining, and
protecting personally identifiable
information. 28 CFR 16.54.
lotter on DSK11XQN23PROD with RULES1
F. Judicial Redress Act of 2015
The Judicial Redress Act of 2015,
Public Law 114–126, 130 Stat. 282
(‘‘Judicial Redress Act’’), codified at 5
U.S.C. 552a note, extends certain rights
of judicial redress established under the
Privacy Act to citizens of foreign
countries or regional economic
organizations certified as a ‘‘covered
country.’’ Specifically, the Judicial
Redress Act enables a ‘‘covered person’’
(i.e., a natural person, other than a U.S.
citizen or permanent resident alien, who
is a citizen of a covered country) to
bring suit and obtain specified redress
in the same manner, to the same extent,
and subject to the same limitations,
including exemptions and exceptions,
as an ‘‘individual’’ (i.e., a U.S. citizen or
permanent resident alien) may bring
suit and obtain specified redress with
respect to the improper refusal to grant
access to or an amendment of a
‘‘covered record’’ (i.e., a record
pertaining to the covered person
transferred by a public authority of, or
a private entity within, a covered
country to a designated Federal agency
or component for purposes of
preventing, investigating, detecting, or
prosecuting criminal offenses) under 5
U.S.C. 552a(g)(1)(A) & (B). The updates
clarify that, consistent with the
processes established for individuals
under the Privacy Act, a covered person
must follow the Privacy Act request-foraccess procedures, or the Privacy Act
request-for-amendment or correction
procedures, before a covered person
may file suit. 28 CFR 16.40(e).
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
G. Social Security Number Fraud
Prevention Act of 2017
The Social Security Number Fraud
Prevention Act of 2017, Public Law
115–59, 131 Stat. 1152 (‘‘SSN Fraud
Prevention Act’’), codified at 42 U.S.C.
405 note, requires the Department to
promulgate rules that will: (1) specify
the circumstances under which
inclusion of a Social Security account
number on a document sent by mail is
necessary; (2) instruct components on
the partial redaction of Social Security
account numbers where feasible; and (3)
require that Social Security account
numbers not be visible on the outside of
any package sent by mail. This proposal
promulgates the above requirements.
Specifically, the updates define the
term ‘‘necessary’’ to include only those
circumstances in which a component
would be unable to comply, in whole or
in part, with a legal, regulatory, or
policy requirement if prohibited from
mailing the full Social Security account
number. 28 CFR 16.53(b). The definition
further specifies that including the full
Social Security account number on a
document sent by mail is not necessary
if a legal, regulatory, or policy
requirement could be satisfied by either
partially redacting the Social Security
account number or by removing the
Social Security number entirely. Id.
Components are then restricted from
including the full Social Security
account number on any document sent
by mail unless the inclusion of the
Social Security account number on the
document is necessary. 28 CFR 16.53(d).
Unless the Attorney General directs
otherwise, the CPCLO is authorized to
assist components in interpreting this
paragraph. 28 CFR 16.53(d)(1).
The updates also instruct
components, where feasible, to partially
redact the Social Security account
number on any document sent by mail
by including no more than the last four
digits of the Social Security account
number, while prioritizing technical
methods to facilitate such redactions. 28
CFR 16.53(d)(3).
H. Administrative Amendments
Finally, the rule amends 28 CFR part
16, subpart D, throughout to correct
minor administrative edits or to
reorganize sentences, sections, or
paragraphs for readability.
IV. Regulatory Certifications
Executive Orders 12866 and 13563—
Regulatory Review
This rule does not raise novel legal or
policy issues, nor does it adversely
affect the economy, the budgetary
impact of entitlements, grants, user fees,
PO 00000
Frm 00011
Fmt 4700
Sfmt 4700
1449
loan programs, or the rights and
obligations of recipients thereof in a
material way. The Department of Justice
has determined that this rule is not a
‘‘significant regulatory action’’ under
Executive Order 12866, section 3(f), and
accordingly this rule has not been
reviewed by the Office of Information
and Regulatory Affairs within the Office
of Management and Budget (‘‘OMB’’)
pursuant to Executive Order 12866.
Regulatory Flexibility Act
This rule relates to individuals rather
than small business entities. Pursuant to
the requirements of the Regulatory
Flexibility Act of 1980, 5 U.S.C. 601–
612, therefore, the rule will not have a
significant economic impact on a
substantial number of small entities.
Congressional Review Act
This rule is not a major rule as
defined by the Congressional Review
Act, 5 U.S.C. 804. This rule will not
result in an annual effect on the
economy of $100,000,000 or more; a
major increase in costs or prices; or
significant adverse effects on
competition, employment, investment,
productivity, innovation, or on the
ability of United States-based
companies to compete with foreignbased companies in domestic and
export markets.
Paperwork Reduction Act
The Paperwork Reduction Act of
1995, 44 U.S.C. 3507(d), requires the
Department to consider the impact of
paperwork and other information
collection burdens imposed on the
public. The DOJ Certification of Identity
Form, DOJ–361, has been assigned OMB
No. 1103–0016.
Unfunded Mandates Reform Act of
1995
This rule will not result in the
expenditure by State, local, and tribal
governments, in the aggregate, or by the
private sector, of $100,000,000 or more
in any one year, and it will not
significantly or uniquely affect small
governments. Therefore, no actions were
deemed necessary under the provisions
of the Unfunded Mandates Reform Act
of 1995.
Executive Order 13132—Federalism
This rule will not have substantial
direct effects on the States, on the
relationship between the National
Government and the States, or on
distribution of power and
responsibilities among the various
levels of government. Therefore, in
accordance with Executive Order 13132,
it is determined that this rule does not
E:\FR\FM\10JAR1.SGM
10JAR1
1450
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
have sufficient federalism implications
to warrant the preparation of a
Federalism Assessment.
Executive Order 12988—Civil Justice
Reform
This rule meets the applicable
standards set forth in sections 3(a) and
3(b)(2) of Executive Order 12988 to
eliminate drafting errors and ambiguity,
minimize litigation, provide a clear legal
standard for affected conduct, and
promote simplification and burden
reduction.
Executive Order 13175—Consultation
and Coordination With Indian Tribal
Governments
This rule will have no implications
for Indian Tribal governments. More
specifically, it does not have substantial
direct effects on one or more Indian
tribes, on the relationship between the
Federal Government and Indian tribes,
or on the distribution of power and
responsibilities between the Federal
Government and Indian tribes.
Therefore, the consultation
requirements of Executive Order 13175
do not apply.
List of Subjects in 28 CFR Part 16
Administrative practices and
procedures, Courts, Freedom of
information, Privacy.
Pursuant to the authority vested in me
by 5 U.S.C. 552a and 42 U.S.C. 405 note,
the Department of Justice amends 28
CFR part 16 as follows:
PART 16—PRODUCTION OR
DISCLOSURE OF MATERIAL OR
INFORMATION
1. The authority citation for part 16 is
revised to read as follows:
■
Authority: 5 U.S.C. 301, 552, 552a, 553;
28 U.S.C. 509, 510, 534; 31 U.S.C. 3717; 42
U.S.C. 405.
■
2. Revise subpart D to read as follows:
lotter on DSK11XQN23PROD with RULES1
Subpart D—Access to and Amendment
of Individual Records Pursuant to the
Privacy Act of 1974, and Other Privacy
Protections
Sec.
16.40 General provisions.
16.41 Privacy Act requests for access to
records.
16.42 Responsibility for responding to
Privacy Act requests for access to
records.
16.43 Responses to Privacy Act requests for
access to records.
16.44 Classified information.
16.45 Privacy Act access appeals.
16.46 Privacy Act requests for amendment
or correction.
16.47 Privacy Act requests for an
accounting of record disclosures.
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
16.48 Preservation of records.
16.49 Fees.
16.50 Notice of compulsory legal process
and emergency disclosures.
16.51 Security of systems of records.
16.52 Contracts for the operation of record
systems.
16.53 Use and collection of Social Security
account numbers.
16.54 Employee standards of conduct.
16.55 Other rights and services.
§ 16.40
General provisions.
(a) Purpose and scope. (1) This
subpart contains the rules that the
Department of Justice (‘‘DOJ’’ or ‘‘the
Department’’) follows when handling
records maintained by the Department
in a system of records, in accordance
with the Privacy Act of 1974, as
amended, 5 U.S.C. 552a (‘‘Privacy Act’’
or ‘‘PA’’). This subpart describes the
procedures by which individuals can be
notified if a Department system of
records contains records about
themselves, may request access to
records about themselves maintained in
a Department system of records, may
request amendment or correction of
records about themselves maintained in
a Department system of records, and
may request an accounting of
disclosures of records about themselves
maintained in a Department system of
records. This subpart also establishes
other procedures on the appropriate
maintenance of records by the
Department and when Privacy Act
exemptions may apply. This subpart
should be read together with the Privacy
Act, which provides additional
information about records maintained in
agency systems of records, including
those of the Department.
(2) This subpart contains the
procedures that the Department follows
when handling covered records
maintained by the Department in a
system of records, in accordance with
the Judicial Redress Act of 2015, 5
U.S.C. 552a note (‘‘Judicial Redress
Act’’). This subpart should be read
together with the Privacy Act and the
Judicial Redress Act, which provide
additional information about covered
records maintained in agency systems of
records, including those of the
Department.
(3) This subpart contains the
procedures that the Department follows
when collecting, using, maintaining, or
disclosing Social Security account
numbers, in accordance with the
Privacy Act and the Social Security
Number Fraud Prevention Act of 2017,
42 U.S.C. 405 note (‘‘Social Security
Number Fraud Prevention Act’’). This
subpart should be read together with the
Privacy Act and the Social Security
Number Fraud Prevention Act, which
PO 00000
Frm 00012
Fmt 4700
Sfmt 4700
provide additional information about
agencies’ maintenance of Social
Security account numbers, including
that of the Department.
(b) Relationship to the Freedom of
Information Act. The Department also
processes Privacy Act requests for
access to records under the Freedom of
Information Act (FOIA), 5 U.S.C. 552,
following the rules contained in subpart
A of this part, which gives requesters
the benefits of both statutes.
(c) Definitions. In addition to the
definitions found under 5 U.S.C.
552a(a), and section (2)(h) of the Judicial
Redress Act, as used in this subpart:
Component means each separate
bureau, office, board, division,
commission, service, or administration
of the Department.
Privacy Act request for access means
a request made in accordance with 5
U.S.C. 552a(d)(1), and includes requests
for a Privacy Act access appeal, in
accordance with this subpart.
Privacy Act request for amendment or
correction means a request made in
accordance with 5 U.S.C. 552a(d)(2)–(4),
and includes requests for a Privacy Act
amendment or correction appeal, in
accordance with this subpart.
Privacy Act request for an accounting
means a request made in accordance
with 5 U.S.C. 552a(c)(3).
Requester means an individual who
makes a Privacy Act request for access,
a Privacy Act request for amendment or
correction, a Privacy Act request for an
accounting, or, as provided by the
Judicial Redress Act, a covered person
who makes either a Privacy Act request
for access or a Privacy Act request for
amendment or correction to covered
records.
System of Records Notice means the
notice(s) published by the Department
in the Federal Register upon the
establishment or modification of a
system of records describing the
existence and character of the system of
records. A System of Records Notice
(‘‘SORN’’) may be composed of a single
Federal Register notice addressing all of
the required elements that describe the
current system of records, or it may be
composed of multiple Federal Register
notices that together address all of the
required elements.
(d) Authority to request records for a
law enforcement purpose. The head of
a component or a United States
Attorney, or either’s designee, is
authorized to make written requests
under 5 U.S.C. 552a(b)(7), for records
maintained by other agencies that are
necessary to carry out an authorized law
enforcement activity. The request must
specify the particular portion desired
E:\FR\FM\10JAR1.SGM
10JAR1
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
and the law enforcement activity for
which the record is sought.
(e) Judicial Redress Act application.
(1) With respect to covered records, the
Judicial Redress Act authorizes a
covered person to bring a civil action
against the Department and obtain civil
remedies, in the same manner, to the
same extent, and subject to the same
limitations, including exemptions and
exceptions, as an individual may bring
a civil action and obtain civil remedies
with respect to records under 5 U.S.C.
552a(g)(1)(A), (B).
(2) To the extent consistent with the
Judicial Redress Act, when making a
request for access, amendment, or
correction to a covered record, a covered
person must follow the procedures
outlined in this subpart for making a
Privacy Act request for access to a
covered record, or a Privacy Act request
for amendment or correction of a
covered record. A covered person must
exhaust the administrative remedies, as
outlined in this subpart, before the
covered person may bring a cause of
action described in paragraph (e)(1) of
this section.
(f) Providing written consent to
disclose records protected under the
Privacy Act. The Department may
disclose any record contained in a
system of records by any means of
communication to any person, or to
another agency, pursuant to a written
request by, or with the prior written
consent of, the individual about whom
the record pertains. An individual must
verify the individual’s identity in the
same manner as required by § 16.41(d)
when providing written consent to
disclose a record protected under the
Privacy Act and pertaining to the
individual.
lotter on DSK11XQN23PROD with RULES1
§ 16.41 Privacy Act requests for access to
records.
(a) General information. (1) The
Department has a decentralized system
for responding to Privacy Act requests
for access to records, with each
component designating an office to
process Privacy Act requests for access
to records maintained by that
component. A requester may make a
Privacy Act request for access to records
about the requester by writing directly
to the component that maintains the
records. All components have the
capability to receive requests
electronically either through email or a
web portal. The request should be sent
or delivered to the component’s office at
the address listed in appendix I to this
part, or in accordance with the access
procedures outlined in the
corresponding SORN. The functions of
each component are summarized in part
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
0 of this title and in the description of
the Department and its components in
the United States Government Manual,
which is updated on a year-round basis
and is available free of charge at https://
www.usgovernmentmanual.gov/.
(2) If a requester cannot determine
where within the Department to send
the Privacy Act request for access to
records, the requester may send it by
mail to the FOIA/PA Mail Referral Unit,
Justice Management Division,
Department of Justice, 950 Pennsylvania
Avenue NW, Washington, DC 20530–
0001; by email to MRUFOIA.Requests@
usdoj.gov; or by fax to (202) 616–6695.
The Mail Referral Unit will forward the
request to the component(s) it believes
most likely to have the requested
records. For the quickest possible
handling, the requester should mark
both the request letter and the envelope
‘‘Privacy Act Access Request.’’
(b) Description of records sought.
Requesters must describe the records
sought in sufficient detail to enable
Department personnel to locate the
applicable system of records containing
them with a reasonable amount of effort.
To the extent possible, requesters
should include specific information that
may assist a component in identifying
the requested records, such as the name
or identifying number of each system of
records in which the requester believes
the records are maintained, or the date,
title, name, author, recipient, case
number, file designation, reference
number, or subject matter of the record.
The Department publishes SORNs in the
Federal Register that describe the type
and categories of records maintained in
Department-wide and componentspecific systems of records. Department
SORNs may be found in published
issues of the Federal Register and a list
is available at https://www.justice.gov/
opcl/doj-systems-records. Requesters
may also request the record in a
particular form or format.
(c) Agreement to pay fees. A Privacy
Act request for access may specify the
amount of fees that the requester is
willing to pay in accordance with
§ 16.49. The component responsible for
responding to the request shall confirm
this agreement in an acknowledgement
letter, in accordance with § 16.43.
(d) Verification of identity. (1) A
requester must verify the requester’s
identity when making a Privacy Act
request for access. The requester must
state the requester’s full name, current
address, and date and place of birth.
The requester must:
(i) Sign the request, and the signature
must either be notarized or submitted by
the requester under 28 U.S.C. 1746, a
law that permits statements to be made
PO 00000
Frm 00013
Fmt 4700
Sfmt 4700
1451
under penalty of perjury as a substitute
for notarization; or
(ii) When available, use one of the
Department’s approved digital services,
as indicated on the Department’s
Privacy Act Request web page, to verify
the identity of the requester through
identity proofing and authentication
processes.
(2) While no specific form is required,
the requester may obtain forms for this
purpose from the FOIA/PA Mail
Referral Unit, Justice Management
Division, Department of Justice, 950
Pennsylvania Avenue NW, Washington,
DC 20530–0001, or obtain the form at
https://www.justice.gov/oip/dojreference-guide-attachment-d-copiesforms.
(3) To help identify and locate
requested records, a requester may also
include, at the requester’s option, any
additional identifying information
which may be helpful in identifying and
locating the requested records.
Components shall establish appropriate
administrative, technical, and physical
safeguards to ensure the security and
confidentiality of information provided
by the requester, and to protect against
any anticipated threats, in accordance
with § 16.51.
(e) Verification of guardianship. (1)
The parent of a minor, or the legal
guardian of an individual who has been
declared incompetent due to physical or
mental incapacity or age by a court of
competent jurisdiction, is permitted to
act on behalf of the individual. In order
for a parent of a minor or the legal
guardian of an individual to make a
Privacy Act request for access on behalf
of the individual, the parent or legal
guardian must establish:
(i) The identity of the individual who
is the subject of the request, by stating
the name, current address, date and
place of birth, and, at the parent or legal
guardian’s option, any additional
identifying information that may be
helpful in identifying and locating the
requested records;
(ii) The parent or legal guardian’s own
identity, as required in paragraph (d) of
this section;
(iii) Proof of parentage or legal
guardianship, which may be proven by
providing a copy of the individual’s
birth certificate or by providing a court
order establishing legal guardianship;
and
(iv) That the parent or legal guardian
is acting on behalf of that individual in
making the request.
(2) Components shall establish
appropriate administrative, technical,
and physical safeguards to ensure the
security and confidentiality of
information provided by the parent or
E:\FR\FM\10JAR1.SGM
10JAR1
1452
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
legal guardian, and to protect against
any anticipated threats, in accordance
with § 16.51.
lotter on DSK11XQN23PROD with RULES1
§ 16.42 Responsibility for responding to
Privacy Act requests for access to records.
(a) In general. Except as stated in
paragraphs (c) through (f) of this section,
the component that first receives a
Privacy Act request for access is the
component responsible for responding
to the request. In determining which
records are responsive to a request, a
component ordinarily will include only
those records it maintained as of the
date the component begins its search. If
any other date is used, the component
shall inform the requester of that date.
(b) Authority to grant or deny
requests. The head of a component, or
the component head’s designee, is
authorized to grant or deny any Privacy
Act request for access to records
maintained by that component.
(c) Re-routing of misdirected requests.
When a component’s FOIA/Privacy Act
office determines that a request was
misdirected within the Department, the
receiving component’s FOIA/Privacy
Act office shall route the request to the
FOIA/Privacy Act office of the proper
component(s).
(d) Consultations, referrals, and
coordination. When a component
receives a Privacy Act request for access
to a record in its possession, it shall
determine whether another component,
or another agency of the Federal
Government, is better able to determine
whether the record is exempt from
access under the Privacy Act. If the
receiving component determines that it
is best able to process the record in
response to the request, then it shall do
so. If the receiving component
determines that it is not best able to
process the record, then it shall follow
the consultation, referral, and
coordination procedures under § 16.4,
subject to the requirements in this
section. Components may make
agreements with other components or
agencies to eliminate the need for
consultations or referrals for particular
types of records.
(e) Consultations, referrals, and
coordination concerning law
enforcement information. When a
component receives a Privacy Act
request for access to a record in its
possession containing information that
relates to an investigation of a possible
violation of law and that originated with
another component or agency of the
Federal Government, the receiving
component shall either refer the
responsibility for responding to the
request regarding that information to
that other component or agency or shall
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
consult with that other component or
agency.
(f) Consultations, referrals, and
coordination concerning classified
information. (1) When a component
receives a Privacy Act request for access
to a record containing information that
has been classified or may be
appropriate for classification by another
component or agency under any
applicable Executive order concerning
the classification of records, the
receiving component shall consult with
or refer the responsibility for responding
to the request regarding that information
to the component or agency that
classified the information, or that
should consider the information for
classification.
(2) When a component receives a
Privacy Act request for access to a
record containing information that has
been derivatively classified, the
receiving component shall consult with
or refer the responsibility for responding
to that portion of the request to the
component or agency that classified the
underlying information.
§ 16.43 Responses to a Privacy Act
requests for access to records.
(a) In general. Components should, to
the extent practicable, communicate
with requesters who have access to the
internet using electronic means, such as
through email or a web portal. A
component shall honor a requester’s
preference for receiving a record in a
particular form or format where it is
readily reproducible by the component
in the form or format requested.
(b) Acknowledgement of requests. The
component responsible for responding
to the request must acknowledge, in
writing, receipt of a Privacy Act request
for access. A component shall initially
respond to the requester by
acknowledging the Privacy Act request
for access, assigning the request an
individualized tracking number, and, if
applicable, confirming, in writing, the
requester’s agreement to pay fees in
accordance with § 16.49.
(c) Timing of responses to a Privacy
Act request for access. (1) Components
ordinarily will respond to Privacy Act
requests for access according to their
order of receipt. The response time will
commence on the date that the request
is received by the proper component’s
office designated to receive requests, but
in any event not later than ten (10)
working days after the request is first
received by any component’s office
designated by this subpart to receive
requests.
(2) A component may designate
multiple processing tracks that
distinguish between simple and more
PO 00000
Frm 00014
Fmt 4700
Sfmt 4700
complex Privacy Act requests for access,
based on the estimated amount of work
or time needed to process the request.
Among the factors a component may
consider are the number of pages
involved in processing the request and
the need for consultations or referrals.
Components may advise requesters of
the track into which their request falls
and, when appropriate, may offer
requesters an opportunity to narrow
their request so that it can be placed in
a different processing track.
(d) Granting a Privacy Act request for
access. Once a component makes a
determination to grant a Privacy Act
request for access, in whole or in part,
it shall notify the requester in writing.
The component shall inform the
requester in the notice of any fee
charged under § 16.49 and shall disclose
records to the requester promptly on
payment of any applicable fee.
(e) Adverse determination to a Privacy
Act request for access. A component
that makes an adverse determination to
a Privacy Act request for access, in
whole or in part, shall notify the
requester of the adverse determination
in writing. An adverse determination to
a Privacy Act request for access includes
a determination by the component that:
the request did not reasonably describe
the record sought; the information
requested is not a record subject to the
Privacy Act; the requested record is not
maintained in a system of records; the
requested record is exempt, in whole or
in part, from a Privacy Act request for
access under applicable exemption(s);
the requested record does not exist,
cannot be located, or has been
destroyed; the record is not readily
reproducible in a comprehensible form;
or there is a matter regarding disputed
fees.
(f) Content of adverse determination
response. An adverse determination to a
Privacy Act request for access, in whole
or in part, shall be signed by the head
of the component, or the component
head’s designee, and shall include:
(1) The name and title or position of
the person responsible for the adverse
determination to the Privacy Act request
for access;
(2) A brief statement of the reason(s)
for the adverse determination to the
Privacy Act request for access, including
any Privacy Act exemption(s) applied
by the component;
(3) An estimate of the volume of any
records or information withheld, if
applicable, such as the number of pages
or some other reasonable form of
estimation, although such an estimate is
not required if the volume is otherwise
indicated or if providing an estimate
E:\FR\FM\10JAR1.SGM
10JAR1
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
would harm an interest protected by an
applicable exemption; and
(4) A statement that the adverse
determination to the Privacy Act request
for access may be appealed under
§ 16.45, and a description of the
requirements set forth in § 16.45.
§ 16.44
Classified information.
In processing a Privacy Act request for
access, a Privacy Act request for
amendment or correction, or a Privacy
Act request for accounting, in which
information is classified under any
applicable Executive order concerning
the classification of records, to the
extent the requester lacks the
appropriate security clearance and fails
otherwise to meet all requirements to
access the classified record or
information, the originating component
shall review the information in the
record to determine whether it should
remain classified. Information
determined to no longer require
classification shall be de-classified and
the record evaluated for an appropriate
release to the requester, subject to any
applicable exemptions or exceptions.
On receipt of any appeal involving
classified information, the official
responsible for adjudicating the appeal
shall take appropriate action to ensure
compliance with part 17 of this title.
lotter on DSK11XQN23PROD with RULES1
§ 16.45
Privacy Act access appeals.
(a) Requirement for making a Privacy
Act access appeal. A requester may
appeal an adverse determination to a
Privacy Act request for access to the
Office of Information Policy (‘‘OIP’’).
The contact information for OIP is
contained in the FOIA Reference Guide,
which is available at https://
www.justice.gov/oip/04_3.html. Appeals
may also be submitted through the web
portal accessible on OIP’s website.
Examples of an adverse determination
to a Privacy Act request for access are
provided in § 16.43. The requester must
make the appeal in writing. To be
considered timely, the requester must
postmark, or in the case of electronic
submissions, submit the request, within
90 calendar days after the date of the
adverse determination. The appeal
should indicate the assigned request
number and clearly identify the
component’s determination that is being
appealed. To facilitate handling, the
requester should mark both the appeal
letter and envelope, or include in the
subject line of any electronic
communication, ‘‘Privacy Act Access
Appeal.’’
(b) Adjudication of Privacy Act access
appeals. (1) The Director of OIP, or a
designee of the Director of OIP, shall act
on behalf of the Attorney General on all
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
Privacy Act access appeals under this
section, unless the Attorney General
directs otherwise.
(2) Should the Attorney General
exercise the right to respond to a
Privacy Act request for access, the
Attorney General’s decision shall serve
as the final action of the Department
and will not be subject to a Privacy Act
access appeal.
(3) A Privacy Act access appeal
ordinarily will not be adjudicated if the
request becomes a matter of litigation.
(c) Responses to Privacy Act access
appeals. (1) OIP shall make its decision
on an appeal in writing.
(2) A decision that upholds a
component’s adverse determination to
the Privacy Act request for access, in
whole or in part, shall include a brief
statement of the reason(s) for the
affirmance, including any Privacy Act
exemption applied, and shall provide
the requester with notification of the
statutory right to file a lawsuit.
(3) A decision that reverses or
modifies, in whole or in part, a
component’s adverse determination to
the Privacy Act request for access shall
include notice to the requester of the
specific reversal or modification. The
component(s) shall thereafter further
process the request, in accordance with
the appeal decision, and respond
directly to the requester, as appropriate.
(d) When a Privacy Act access appeal
is required. Before seeking review by a
court of a component’s refusal to grant
a Privacy Act request for access, a
requester generally must first submit a
timely appeal in accordance with this
section.
§ 16.46 Privacy Act requests for
amendment or correction.
(a) Requirements for making a Privacy
Act request for amendment or
correction. Unless the record is not
subject to amendment or correction, as
stated in paragraph (i) of this section,
individuals may make a Privacy Act
request for amendment or correction of
a Department record about themselves.
Requesters must write directly to the
Department component that maintains
the record. A Privacy Act request for
amendment or correction shall identify
each particular record in question, state
the amendment or correction that the
requester would like to make, and state
why the requester believes the record is
not accurate, relevant, timely, or
complete. Requesters may submit any
documentation that would be helpful in
determining the accuracy, relevance,
timeliness, or completeness of the
record. If the requester believes that the
same record is in more than one
Department system of records, the
PO 00000
Frm 00015
Fmt 4700
Sfmt 4700
1453
requester should address the request to
each component that the requester
believes maintains the record. For the
quickest possible handling, requesters
should mark both their request letter
and envelope ‘‘Privacy Act Amendment
Request.’’ Components and requesters
must otherwise follow the procedures
and responsibilities set forth in §§ 16.41
and 16.42.
(b) Timing of responses to a Privacy
Act request for amendment or
correction. (1) Components responsible
for responding to a Privacy Act request
for amendment or correction must
acknowledge, in writing, receipt of the
request no later than ten (10) working
days after receipt.
(2) Components must promptly
respond to a Privacy Act request for
amendment or correction. Components
ordinarily will respond to Privacy Act
requests for amendment or correction
according to their order of receipt. The
response time will commence on the
date that the request is received by the
proper component’s office designated to
receive requests, but in any event no
later than ten (10) working days after the
request is first received by any
component’s office designated by this
subpart to receive requests.
(3) A component may designate
multiple processing tracks that
distinguish between simple and more
complex Privacy Act requests for
amendment or correction, based on the
estimated amount of work or time
needed to process the request. Among
the factors a component may consider
are the number of pages involved in
processing the request and the need for
consultations or referrals. Components
may advise requesters of the track into
which their request falls and, when
appropriate, may offer requesters an
opportunity to narrow their request so
that it can be placed in a different
processing track.
(c) Granting a Privacy Act request for
amendment or correction. If a
component grants a Privacy Act request
for amendment or correction, in whole
or in part, it shall notify the requester
in writing. The component shall
describe the amendment or correction
made and shall advise the requester of
the requester’s right to obtain a copy of
the corrected or amended record, in
accordance with the Privacy Act right of
access procedures described in §§ 16.41
through 16.45.
(d) Adverse determination to a
Privacy Act request for amendment or
correction. A component that makes an
adverse determination to a Privacy Act
request for amendment or correction, in
whole or in part, shall notify the
requester of the determination in
E:\FR\FM\10JAR1.SGM
10JAR1
lotter on DSK11XQN23PROD with RULES1
1454
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
writing. An adverse determination to a
Privacy Act request for amendment or
correction includes a decision by the
component that: the information at issue
is not a record as defined by the Privacy
Act; the requested record is not subject
to amendment or correction as stated in
paragraph (i) of this section; the request
does not reasonably describe the records
sought or the amendment or correction
to that record; the record at issue does
not exist, cannot be located, has been
destroyed, or otherwise cannot be
amended or corrected; or the record is
maintained with such accuracy,
relevance, timeliness, and completeness
as is reasonably necessary to assure
fairness in any determination about the
individual about whom the record
pertains.
(e) Content of adverse determination
response. An adverse determination to a
Privacy Act request for amendment or
correction, in whole or in part, shall be
signed by the head of the component, or
the component head’s designee, and
shall include:
(1) The name and title or position of
the person responsible for the adverse
determination to the Privacy Act request
for amendment or correction;
(2) A brief statement of the reason(s)
for the adverse determination to the
Privacy Act request for amendment or
correction, including any Privacy Act
exemption(s) applied by the component;
and
(3) A statement that the adverse
determination to the Privacy Act request
for amendment or correction may be
appealed under paragraph (f) of this
section and a description of the
requirements set forth in paragraph (f).
(f) Privacy Act amendment appeals.
(1) A requester may appeal an adverse
determination to a Privacy Act request
for amendment or correction, in whole
or in part, to the Office of Privacy and
Civil Liberties (‘‘OPCL’’). The contact
information for OPCL is available at
https://www.justice.gov/privacy. The
requester must make the appeal in
writing. To be considered timely, the
requester must postmark the appeal
request, or in the case of electronic
submissions, submit the appeal request,
within 90 calendar days after the date of
the component’s refusal to grant a
Privacy Act request for amendment or
correction. The appeal should indicate
the assigned request number and clearly
identify the component’s determination
that is being appealed. To facilitate
handling, the requester should mark
both the appeal letter and envelope, or
include in the subject line of the
electronic transmission, ‘‘Privacy Act
Amendment Appeal.’’
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
(2) The Chief Privacy and Civil
Liberties Officer (‘‘CPCLO’’), or a
designee of the CPCLO, will act on
behalf of the Attorney General on all
Privacy Act amendment appeals under
this section, unless otherwise directed
by the Attorney General.
(3) A Privacy Act amendment appeal
ordinarily will not be adjudicated if the
request becomes a matter of litigation.
(4) A decision on a Privacy Act
amendment appeal must be made in
writing. A decision that upholds a
component’s adverse determination to a
Privacy Act request for amendment or
correction, in whole or in part, shall
include a brief statement of the reason(s)
for the affirmance, including any
Privacy Act exemption applied, whether
the requester has a right to file a
Statement of Disagreement, as described
in paragraph (g) of this section, and the
requester’s statutory right to file a
lawsuit. A decision that reverses or
modifies a component’s adverse
determination to a Privacy Act request
for amendment or correction, in whole
or in part, shall notify the requester of
the specific reversal or modification.
The component shall thereafter further
process the request, in accordance with
the appeal decision, and respond
directly to the requester, as appropriate.
(g) Statement of Disagreement. If a
request is subject to a Privacy Act
request for amendment or correction,
but the component’s adverse
determination to a Privacy Act request
for amendment or correction is upheld,
in whole or in part, the requester has the
right to file a Statement of Disagreement
that states the requester’s reason(s) for
disagreeing with the Department’s
refusal to grant the requester’s Privacy
Act request for amendment or
correction. Statements of Disagreement
must be concise, must clearly identify
each part of any record that is disputed,
and should be no longer than one typed
page for each fact disputed. A Statement
of Disagreement must be sent to the
component involved, which shall place
it in the system of records in which the
disputed record is maintained so that
the Statement of Disagreement
supplements the disputed record. The
component shall mark the disputed
record to indicate that a Statement of
Disagreement has been filed and where
in the system of records it may be
found.
(h) Notification of amendment,
correction, or Statement of
Disagreement. Within thirty (30)
working days of the amendment or
correction of a record, the component
that maintains the record shall notify all
persons, organizations, or agencies to
which it previously disclosed the
PO 00000
Frm 00016
Fmt 4700
Sfmt 4700
record, if an accounting of that
disclosure was made, that the record has
been amended or corrected. If an
individual has filed a Statement of
Disagreement, the component shall
append a copy of it to the disputed
record whenever the record is disclosed.
The component may also append a
concise statement of its reason(s) for
denying the Privacy Act request for
amendment or correction of the record.
(i) Records not subject to amendment
or correction. The following records are
not subject to amendment or correction:
(1) Copies of court records;
(2) Transcripts of testimony given
under oath or written statements made
under oath;
(3) Transcripts of grand jury
proceedings, judicial proceedings, or
quasi-judicial proceedings, which are
the official record of those proceedings;
(4) Presentence reports, and other
records pertaining directly to such
reports originating with the courts;
(5) Records in a system of records that
have been exempted from amendment
and correction, pursuant to 5 U.S.C.
552a(j) or (k), through the applicable
regulations in this subpart; and
(6) Records not maintained in a
system of records.
§ 16.47 Privacy Act requests for an
accounting of record disclosures.
(a) Requirements for making a Privacy
Act request for accounting of record
disclosures. Except where accountings
of disclosures are not required to be
kept as stated in paragraph (c) of this
section, individuals may make a Privacy
Act request for an accounting of record
disclosures about themselves that have
been made by the Department to another
person, organization, or agency. This
accounting contains the date, nature,
and purpose of each disclosure, as well
as the name and address of the person,
organization, or agency to which the
disclosure was made. If the requester
believes that the same record is in more
than one system of records, the
requester should address their request to
each component that the requester
believes maintains the record. For the
quickest possible handling, requesters
should mark both their request letters
and envelopes ‘‘Privacy Act Accounting
Request.’’ Requests must otherwise
follow the procedures in § 16.41.
(b) Processing Privacy Act requests for
an accounting of record disclosures.
Unless otherwise specified in this
section, components shall process
Privacy Act requests for accountings of
record disclosures following the
procedures in §§ 16.42 and 16.43.
(c) Where accountings of record
disclosures are not required.
E:\FR\FM\10JAR1.SGM
10JAR1
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
Components are not required to provide
Privacy Act accountings of record
disclosures to a requester in cases in
which they relate to:
(1) Disclosures of information not
subject to the Privacy Act;
(2) Disclosures of records not
maintained in a system of records;
(3) Disclosures of records maintained
in a system of records for which
accountings are not required to be kept,
including disclosures to those officers
and employees of the Department who
have a need for the record in the
performance of their duties, 5 U.S.C.
552a(b)(1), or disclosures that are
required under the FOIA, 5 U.S.C.
552a(b)(2);
(4) Disclosures made to law
enforcement agencies for authorized law
enforcement activities in response to
written requests from those law
enforcement agencies specifying the law
enforcement activities for which the
disclosures are sought; or
(5) Disclosures made from systems of
records that have been exempted from
the accounting of record disclosure
requirements pursuant to the Privacy
Act, 5 U.S.C. 552a(j) or (k), through the
applicable regulations in this subpart.
(d) Appeals. A requester may appeal
a component’s refusal to grant a Privacy
Act request for an accounting of record
disclosures in the same manner, and
under the same procedures, as a Privacy
Act access appeal, as set forth in § 16.45.
efforts to provide notice to an individual
whose record is disclosed under
compulsory legal process, such as an
order by a court of competent
jurisdiction, and such process becomes
a matter of public record. Notice shall
be given within a reasonable time after
the component’s receipt of process,
except that in a case in which such
process is not a matter of public record,
the notice shall be given within a
reasonable time only after such process
becomes public. Where an individual,
or the individual’s legal counsel, has not
otherwise received notice of the
disclosure in the litigation process,
notice shall be mailed to the
individual’s last known address and
shall contain a copy of such process and
a description of the information
disclosed. Notice shall not be required
if disclosure is made from a system of
records that has been exempted from the
notice requirement.
(b) Emergency disclosures. Upon
disclosing a record pertaining to an
individual made under compelling
circumstances affecting health or safety,
the component shall notify that
individual of the disclosure. This notice
shall be mailed to the individual’s last
known address and shall state the
nature of the information disclosed; the
person, organization, or agency to which
it was disclosed; the date of disclosure;
and the compelling circumstances
justifying the disclosure.
§ 16.48
§ 16.51
Preservation of records.
Each component shall preserve all
correspondence pertaining to the
requests that it receives under this
subpart, as well as copies of all
requested records, until disposition or
destruction is authorized by title 44 of
the United States Code or by the
National Archives and Records
Administration’s General Records
Schedule 4.2. Records shall not be
disposed of while they are the subject of
a pending request, appeal, or lawsuit
under the Privacy Act.
lotter on DSK11XQN23PROD with RULES1
§ 16.49
Fees.
Components shall charge fees for
duplication of records under the Privacy
Act in the same way in which they
charge duplication fees for responding
to FOIA requests under § 16.10. No
search or review fee may be charged for
any record unless the record has been
exempted from access pursuant to
exemptions enumerated in the Privacy
Act, 5 U.S.C. 552a(j)(2) or (k)(2).
§ 16.50 Notice of compulsory legal
process and emergency disclosures.
(a) Legal process disclosures.
Components shall make reasonable
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
Security of systems of records.
(a) Each component shall establish
and maintain administrative, technical,
and physical controls consistent with
applicable Department and
Government-wide laws, regulations,
policies, and standards, to ensure the
security and confidentiality of records,
and to protect against reasonably
anticipated threats or hazards to their
security or integrity, including against
any reasonably anticipated
unauthorized access, use, or disclosure,
which could result in substantial harm,
embarrassment, inconvenience, or
unfairness to individuals about whom
information is maintained. The
stringency of these controls shall
correspond to the sensitivity of the
records that the controls protect. At a
minimum, each component shall
maintain administrative, technical, or
physical controls to ensure that:
(1) Records are protected from
unauthorized access, including
unauthorized public access;
(2) The physical area in which records
are maintained is supervised or
appropriately secured to prevent
unauthorized persons from having
access to them;
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
1455
(3) Records are protected from
damage, loss, or unauthorized alteration
or destruction; and
(4) Records are not disclosed to
unauthorized persons or to authorized
persons for unauthorized purposes in
either oral or written form.
(b) Each component shall establish
procedures that restrict access to records
to only those individuals within the
Department who must have access to
those records in order to perform their
duties and that prevent inadvertent
disclosure of records.
(c) The CPCLO, or a designee of the
CPCLO, may impose additional
administrative, technical, or physical
controls to protect records in
consultation with the Chief Information
Officer and the Director of the Office of
Records Management Policy.
§ 16.52 Contracts for the operation of
record systems.
(a) Any approved contract for the
operation of a system of records shall
contain the standard contract terms and
conditions in accordance with the
Federal Acquisition Regulations in 48
CFR chapter 28 and may also contain
additional privacy-related terms and
conditions to ensure compliance with
the requirements of the Privacy Act for
that system of records. The contracting
component will be responsible for
ensuring that the contractor complies
with these contract requirements.
(b) The CPCLO, a designee of the
CPCLO, or contracting components may
impose additional contract requirements
to further protect records.
§ 16.53 Use and collection of Social
Security account numbers.
(a) Purpose and scope. This section
contains the rules that the Department
of Justice follows in handling Social
Security account numbers in accordance
with section 7 of the Privacy Act, and
with the Social Security Fraud
Prevention Act.
(b) Definitions. For the purposes of
this section:
Mail means any physical package sent
to entities or individuals outside the
Department through the United States
Postal Service or any other express mail
carrier; and
Necessary includes only those
circumstances in which a component
would be unable to comply, in whole or
in part, with a legal, regulatory, or
policy requirement if prohibited from
mailing the full Social Security account
number. Including the full Social
Security account number of an
individual on a document sent by mail
is not ‘‘necessary’’ if a legal, regulatory,
or policy requirement could be satisfied
E:\FR\FM\10JAR1.SGM
10JAR1
lotter on DSK11XQN23PROD with RULES1
1456
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
by either partially redacting the Social
Security account number in accordance
with paragraph (d)(3) of this section, or
entirely removing the Social Security
account number.
(c) Denial of rights, benefits, or
privileges. Components are prohibited
from denying any right, benefit, or
privilege provided by law to an
individual because of such individual’s
refusal to disclose the individual’s
Social Security account number. This
paragraph (c) shall not apply with
respect to:
(1) Any disclosure that is required by
Federal statute; or
(2) The disclosure of a Social Security
account number to any Federal, State, or
local agency maintaining a system of
records in existence and operating
before January 1, 1975, if such
disclosure was required under statute or
regulation adopted prior to such date to
verify the identity of an individual.
(d) Restriction of Social Security
account numbers on documents sent by
mail. (1) A component shall not include
the full Social Security account number
of an individual on any document sent
by mail, unless the inclusion of the
Social Security account number on the
document is necessary. Unless the
Attorney General directs otherwise, the
CPCLO is authorized to assist
components in implementing this
paragraph (d), including determining
whether inclusion of the Social Security
account number on a document sent by
mail is necessary.
(2) If the use of the full Social
Security account number on a document
sent by mail is necessary, the
component sending the document shall
implement appropriate administrative,
technical, and physical safeguards to
ensure a reasonable level of security
against unauthorized access to, and use,
disclosure, disruption, modification, or
destruction of, the documents sent by
mail.
(3) Where feasible, components
should partially redact the Social
Security account number on any
document sent by mail by including no
more than the last four digits of the
Social Security account number.
Components should prioritize technical
methods to redact Social Security
account numbers.
(4) Components are prohibited from
placing a Social Security account
number, whether full or partially
redacted, on the outside of any mail.
(e) Employee awareness. Each
component shall ensure that employees
authorized to collect Social Security
account numbers are made aware of the
following:
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
(1) The requirements of paragraphs (c)
and (d) of this section;
(2) That individuals requested to
provide their Social Security account
numbers must be informed of:
(i) Whether providing Social Security
account numbers is mandatory or
voluntary;
(ii) Any statutory or regulatory
authority that authorizes the collection
of Social Security account numbers; and
(iii) The uses that will be made of the
Social Security account numbers; and
(3) That the Department may have
other regulations or polices regulating
the use, maintenance, or disclosure of
Social Security account numbers by
which employees must abide.
§ 16.54
Employee standards of conduct.
Each component shall inform its
employees and any contractors involved
in developing or maintaining a system
of records of the provisions of the
Privacy Act, including the Privacy Act’s
civil liability and criminal penalty
provisions. Unless otherwise permitted
by law, employees and contractors of
the Department shall:
(a) Collect from individuals only the
information that is relevant and
necessary to discharge the
responsibilities of the Department;
(b) Collect information about an
individual directly from that individual
whenever practicable;
(c) Inform each individual asked to
supply information for a record
pertaining to that individual of:
(1) The legal authority to collect the
information and whether providing it is
mandatory or voluntary;
(2) The principal purpose for which
the Department intends to use the
information;
(3) The routine uses the Department
may make of the information; and
(4) The effects on the individual, if
any, of not providing the information;
(d) Ensure that the component
maintains no system of records without
public notice and that it notifies
appropriate Department officials of the
existence or development of any system
of records that is not the subject of a
current or planned public notice;
(e) Maintain all records that are used
by the Department in making any
determination about an individual with
such accuracy, relevance, timeliness,
and completeness as is reasonably
necessary to ensure fairness to the
individual in the determination;
(f) Except as to disclosures made to an
agency or made under the FOIA, make
reasonable efforts, prior to
disseminating any record about an
individual, to ensure that the record is
accurate, relevant, timely, and complete;
PO 00000
Frm 00018
Fmt 4700
Sfmt 4700
(g) Maintain no record describing how
an individual exercises the individual’s
First Amendment rights, unless
maintaining the record is expressly
authorized by statute or by the
individual about whom the record is
maintained, or is pertinent to and
within the scope of an authorized law
enforcement activity;
(h) When required by the Privacy Act,
maintain an accounting in the specified
form of all disclosures of records by the
Department to persons, organizations, or
agencies;
(i) Maintain and use records with care
to prevent the loss or the unauthorized
or inadvertent disclosure of a record to
anyone;
(j) Notify the appropriate Department
official of any record that contains
information that the Privacy Act does
not permit the Department to maintain;
and
(k) Read, acknowledge, and agree to
abide by the Department of Justice rules
of behavior for accessing, collecting,
using, and maintaining Department
information.
§ 16.55
Other rights and services.
Nothing in this subpart shall be
construed to entitle any person, as of
right, to any service or to the disclosure
of any record to which such person is
not entitled under the Privacy Act, the
Social Security Fraud Reduction Act, or
the Judicial Redress Act.
3. Amend appendix I to part 16 by
revising the first two paragraphs to read
as follows:
■
Appendix I to Part 16—Components of
the Department of Justice
Please consult Attachment B of the
Department of Justice FOIA Reference Guide
for the contact information and a detailed
description of the types of records
maintained by each Department component.
The FOIA Reference Guide is available at
https://www.justice.gov/oip/departmentjustice-freedom-information-act-referenceguide or upon request to the Office of
Information Policy (OIP).
The Department component offices, and
any component-specific requirements, for
making a FOIA or Privacy Act request are
listed in this appendix. The Certification
of Identity form, available at https://
www.justice.gov/oip/doj-reference-guideattachment-d-copies-forms, may be used by
individuals who are making requests for
records pertaining to themselves. For each of
the six components marked with an asterisk,
FOIA and Privacy Act requests for access
must be sent to OIP, which handles initial
requests for those six components.
*
E:\FR\FM\10JAR1.SGM
*
*
10JAR1
*
*
Federal Register / Vol. 89, No. 7 / Wednesday, January 10, 2024 / Rules and Regulations
Dated: January 2, 2024.
Merrick B. Garland,
Attorney General.
II. Background Information and
Regulatory History
[FR Doc. 2024–00282 Filed 1–9–24; 8:45 am]
BILLING CODE 4410–PJ–P
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Part 165
[Docket Number USCG–2024–0020]
RIN 1625–AA00
Safety Zone; North Pacific Ocean,
Dutch Harbor, AK
Coast Guard, Department of
Homeland Security (DHS).
ACTION: Temporary final rule.
AGENCY:
The Coast Guard is
establishing a temporary safety zone for
navigable waters within a 1 nautical
mile radius of the M/V GENIUS STAR
XI. The safety zone is needed to protect
personnel, vessels, and the marine
environment from potential hazards
created by a fire onboard the M/V
GENIUS STAR XI. Entry of vessels or
persons into this zone is prohibited
unless specifically authorized by the
Captain of the Port, Western Alaska.
DATES: This rule is effective without
actual notice from January 10, 2024,
through March 6, 2024. For the
purposes of enforcement, actual notice
will be used from January 7, 2024, until
January 10, 2024.
ADDRESSES: To view documents
mentioned in this preamble as being
available in the docket, go to https://
www.regulations.gov, type USCG–2024–
0020 in the search box and click
‘‘Search.’’ Next, in the Document Type
column, select ‘‘Supporting & Related
Material.’’
SUMMARY:
If
you have questions about this rule, call
or email LT William Mason, Sector
Anchorage, AK Waterways Management
Division, U.S. Coast Guard; telephone
907–428–4100, email sectoranchorage@
uscg.mil.
SUPPLEMENTARY INFORMATION:
lotter on DSK11XQN23PROD with RULES1
FOR FURTHER INFORMATION CONTACT:
I. Table of Abbreviations
CFR Code of Federal Regulations
DHS Department of Homeland Security
FR Federal Register
NPRM Notice of proposed rulemaking
§ Section
U.S.C. United States Code
VerDate Sep<11>2014
15:42 Jan 09, 2024
Jkt 262001
The Coast Guard is issuing this
temporary rule under authority in 5
U.S.C. 553(b)(B). This statutory
provision authorizes an agency to issue
a rule without prior notice and
opportunity to comment when the
agency for good cause finds that those
procedures are ‘‘impracticable,
unnecessary, or contrary to the public
interest.’’ The Coast Guard finds that
good cause exists for not publishing a
notice of proposed rulemaking (NPRM)
with respect to this rule because
publishing an NPRM would be
impracticable because of the urgent
need to establish a safety zone as soon
as possible to enhance public safety
given the dangers associated with a
vessel recently on fire.
Also, under 5 U.S.C. 553(d)(3), the
Coast Guard finds that good cause exists
for making this rule effective less than
30 days after publication in the Federal
Register. Delaying the effective date of
this rule would be impracticable
because immediate action is needed to
respond to the potential safety hazards
associated with a recent fire onboard the
M/V GENIUS STAR XI and the
emergency operations taking place.
III. Legal Authority and Need for Rule
The Coast Guard is issuing this rule
under authority in 46 U.S.C. 70034. The
Captain of the Port, Western Alaska has
determined that potential hazards
associated with ongoing response
activities for a recent vessel fire and the
hazardous materials onboard the vessel
will be a safety concern for anyone
within a 1 nautical mile radius of the M/
V GENIUS STAR XI. This rule is needed
to protect personnel, vessels, and the
marine environment in the navigable
waters within the safety zone from the
potential hazards created by the vessel
fire. The duration of the rule is
necessary due to the challenges
associated with getting materiel and
personnel to the vessel given its remote
location.
IV. Discussion of the Rule
This rule establishes a safety zone
from January 7, 2024, through March 6,
2024. The safety zone will cover all
navigable waters within 1 nautical mile
of the M/V GENIUS STAR XI within the
Captain of the Port Zone Western Alaska
in the vicinity of the Port of Dutch
Harbor, Alaska. The M/V GENIUS STAR
XI, IMO 9622710, is a 410 foot General
cargo ship with a white superstructure
and a black hull.
PO 00000
Frm 00019
Fmt 4700
Sfmt 4700
1457
V. Regulatory Analyses
We developed this rule after
considering numerous statutes and
Executive orders related to rulemaking.
Below we summarize our analyses
based on a number of these statutes and
Executive orders, and we discuss First
Amendment rights of protestors.
A. Regulatory Planning and Review
Executive Orders 12866 and 13563
direct agencies to assess the costs and
benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits.
This rule has not been designated a
‘‘significant regulatory action,’’ under
section 3(f) of Executive Order 12866, as
amended by Executive Order 14094
(Modernizing Regulatory Review).
Accordingly, this rule has not been
reviewed by the Office of Management
and Budget (OMB).
This regulatory action determination
is based on the safety of emergency
operators in the vicinity of the M/V
GENIUS STAR XI. The small size and
short duration of this safety zone
combined with anticipated limited
vessel traffic is expected to minimally
restrict vessel movements. Moreover,
the Coast Guard will issue a Broadcast
Notice to Mariners via available local
means about the zone, and the rule will
allow vessels to seek permission under
certain conditions to enter the zone
from the COTP or a designated
representative.
B. Impact on Small Entities
The Regulatory Flexibility Act of
1980, 5 U.S.C. 601–612, as amended,
requires Federal agencies to consider
the potential impact of regulations on
small entities during rulemaking. The
term ‘‘small entities’’ comprises small
businesses, not-for-profit organizations
that are independently owned and
operated and are not dominant in their
fields, and governmental jurisdictions
with populations of less than 50,000.
The Coast Guard certifies under 5 U.S.C.
605(b) that this rule will not have a
significant economic impact on a
substantial number of small entities.
While some owners or operators of
vessels intending to transit the safety
zone may be small entities, for the
reasons stated in section V.A above, this
rule will not have a significant
economic impact on any vessel owner
or operator.
Under section 213(a) of the Small
Business Regulatory Enforcement
Fairness Act of 1996 (Pub. L. 104–121),
we want to assist small entities in
understanding this rule. If the rule
E:\FR\FM\10JAR1.SGM
10JAR1
Agencies
[Federal Register Volume 89, Number 7 (Wednesday, January 10, 2024)]
[Rules and Regulations]
[Pages 1447-1457]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-00282]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
28 CFR Part 16
[CPCLO Order No. 12-2021; AG Order No. 5851-2024]
RIN 1105-AB66
Privacy Act Regulations
AGENCY: United States Department of Justice.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule amends the United States Department of Justice
(``DOJ'' or ``Department'') Privacy Act implementation regulations,
including its Privacy Act record access and amendment procedures.
Additionally, this rule includes procedures regarding processing
Privacy Act requests to access or amend covered records, as designated
under the Judicial Redress Act of 2015, and expands protections on the
Department's maintenance of Social Security account numbers, in
accordance with the Social Security Number Fraud Prevention Act of
2017.
DATES: This final rule is effective February 9, 2024.
FOR FURTHER INFORMATION CONTACT: Katherine Harman-Stokes, Acting
Director, U.S. Department of Justice, Office of Privacy and Civil
Liberties, Two Constitution Square, 145 N Street NE, Suite 8W.300,
Washington, DC
[[Page 1448]]
20530, telephone (202) 514-0208 (not a toll-free call).
SUPPLEMENTARY INFORMATION:
I. Public Participation
The Department received no comments in response to the notice of
proposed rulemaking for the revision of the Department of Justice
Privacy Act regulations published on January 6, 2023, 88 FR 1012, and
now finalizes this rule without changes.
II. Overview of the Department's Privacy Act of 1974 Implementation
Regulations
The Privacy Act of 1974, as amended, 5 U.S.C. 552a (``Privacy
Act''), establishes certain agency responsibilities and individual
rights regarding the collection, use, maintenance, and disclosure of
records about individuals. To carry out these rights, the Privacy Act
requires agencies to promulgate rules that will: (1) establish
procedures whereby an individual can be notified if any system of
records named by the individual contains a record pertaining to that
individual; (2) define reasonable times, places, and requirements for
identifying an individual who requests a record or information
pertaining to the individual before the agency shall make the record or
information available; (3) establish procedures for the disclosure to
an individual upon request of a record or information pertaining to the
individual, including special procedures, if deemed necessary, for the
disclosure to an individual of medical records pertaining to the
individual; (4) establish procedures for reviewing a request from an
individual concerning the amendment of any record or information
pertaining to the individual, for making a determination on the
request, for an appeal within the agency of an initial adverse agency
determination, and for whatever additional means may be necessary for
each individual to exercise fully the individual's rights under the
Privacy Act; and (5) establish fees to be charged, if any, to any
individual for making copies of records pertaining to the individual,
excluding the cost of any search for and review of the record. 5 U.S.C.
552a(f).
The Department's Privacy Act regulations are promulgated at title
28, part 16, subpart D, Code of Federal Regulations. While existing
procedures have largely remained the same, certain amendments are
required to ensure the Department's Privacy Act regulations reflect
changes in the law, as well as in the Department's practices.
III. Discussion of Changes
A. Relationship to the Freedom of Information Act
The Department continues to process all Privacy Act requests for
access to records under the Freedom of Information Act (``FOIA''), 5
U.S.C. 552, following the rules contained in subpart A of part 16, thus
giving requesters the benefit of both statutes. The updates to subpart
D, in particular 28 CFR 16.41 through 16.45, better align the FOIA and
Privacy Act request-for-access procedures. For example, updates to 28
CFR 16.42 align the consultation, referral, and coordination procedures
with the FOIA procedures under 28 CFR 16.4, subject to certain
deviations to comply with Privacy Act requirements. Updates to 28 CFR
16.42 through 16.43 align the re-routing of misdirected Privacy Act
requests for access procedures, the procedures for determining which
component is responsible for responding to a request, and the timing
for those responses, with the FOIA procedures contained in 28 CFR part
16, subpart A. Finally, similar to the FOIA procedures, components are
encouraged, to the extent practicable, to communicate with requesters
having access to the internet using electronic means, such as by email
or through a web portal.
B. Updates to the Privacy Act Request-for-Access Procedures
The changes set forth in this rule update the Department's Privacy
Act request-for-access procedures to more accurately reflect existing
practices. First, the rules clarify that the Department has a
decentralized system for responding to Privacy Act requests for access,
by informing requesters that they may make a Privacy Act request for
access by writing directly to the component that maintains the record.
28 CFR 16.41(a)(1). The updates remove the requirement that a requester
send or deliver requests to Department field offices, and instead
requires requesters to send or deliver requests to the component's
office at the address listed in appendix I to 28 CFR part 16, or in
accordance with the access procedures outlined in the corresponding
System of Records Notice. 28 CFR 16.41(a)(2).
Additionally, the updates remove explicit references to in-person
Privacy Act requests for access because such requests have become
generally impracticable for members of the public. That said, the new
procedures explicitly state that a requester may request a record in a
particular form or format, 28 CFR 16.41(b), and components will honor a
requester's preference where the record is readily reproducible by the
component in the form or format requested, 28 CFR 16.43(a). This would
continue to permit a member of the public to request access to the
member's records in-person when components can provide a copy of the
record for in-person inspection.
C. Updates to the Privacy Act Procedures for Requests for Amendment or
Correction
The rule updates the Department's procedures for requesting
amendment or correction of records under the Privacy Act, in accordance
with existing practices. First, the rule would explicitly set out the
timing for components to respond to a Privacy Act request for amendment
or correction. 28 CFR 16.46(b). In accordance with the Privacy Act, 5
U.S.C. 552a(d)(2), components responsible for responding to a Privacy
Act request for amendment or correction must acknowledge, in writing,
the receipt of the request no later than ten (10) working days after
receipt, and must promptly grant or refuse to grant the request. 28 CFR
16.46(b)(1). The rule authorizes components to designate multiple
processing tracks that distinguish between simple and more complex
Privacy Act requests for amendment or correction, consistent with the
Privacy Act request-for-access procedures. 28 CFR 16.46(b)(3). The rule
requires components to provide additional content in the response that
components must provide when refusing to grant a Privacy Act request
for amendment or correction. 28 CFR 16.46(e). Finally, the rule updates
the list of records not subject to amendment or correction. 28 CFR
16.46(i).
D. Privacy Act Access Appeals and Privacy Act Amendment Appeals
The rule updates the Department's Privacy Act administrative appeal
procedures to align with existing practices. First, the rules clarify
that a refusal to grant a Privacy Act request for access or Privacy Act
request for amendment or correction is subject to an administrative
appeal, and provides examples of what commonly qualifies as a refusal
to grant a Privacy Act request. 28 CFR 16.45 through 16.46. The rule
clarifies that the Attorney General has designated the Director of the
Office of Information Policy, or the Director's designee, with the
responsibility for adjudicating Privacy Act access appeals, 28 CFR
16.45(b)(1), and the DOJ Chief Privacy and Civil Liberties Officer
(``CPCLO''), or the CPCLO's designee, with the responsibility for
adjudicating
[[Page 1449]]
Privacy Act amendment appeals. 28 CFR 16.46(f)(1).
E. Safeguards and Employee Code of Conduct
The rule updates the Department's Privacy Act record safeguard
requirements and employee conduct requirements to reflect updated
standards of practice. First, the updates clarify that the Department's
administrative, technical, and physical controls in place for its
systems of records are consistent with applicable Department and
government-wide laws, regulations, policies, and standards, including
but not limited to those required for the security of Department
information systems. 28 CFR 16.51. Second, the updates require
Department employees to read, acknowledge, and agree to abide by the
Department of Justice rules of behavior for accessing, collecting,
using, maintaining, and protecting personally identifiable information.
28 CFR 16.54.
F. Judicial Redress Act of 2015
The Judicial Redress Act of 2015, Public Law 114-126, 130 Stat. 282
(``Judicial Redress Act''), codified at 5 U.S.C. 552a note, extends
certain rights of judicial redress established under the Privacy Act to
citizens of foreign countries or regional economic organizations
certified as a ``covered country.'' Specifically, the Judicial Redress
Act enables a ``covered person'' (i.e., a natural person, other than a
U.S. citizen or permanent resident alien, who is a citizen of a covered
country) to bring suit and obtain specified redress in the same manner,
to the same extent, and subject to the same limitations, including
exemptions and exceptions, as an ``individual'' (i.e., a U.S. citizen
or permanent resident alien) may bring suit and obtain specified
redress with respect to the improper refusal to grant access to or an
amendment of a ``covered record'' (i.e., a record pertaining to the
covered person transferred by a public authority of, or a private
entity within, a covered country to a designated Federal agency or
component for purposes of preventing, investigating, detecting, or
prosecuting criminal offenses) under 5 U.S.C. 552a(g)(1)(A) & (B). The
updates clarify that, consistent with the processes established for
individuals under the Privacy Act, a covered person must follow the
Privacy Act request-for-access procedures, or the Privacy Act request-
for-amendment or correction procedures, before a covered person may
file suit. 28 CFR 16.40(e).
G. Social Security Number Fraud Prevention Act of 2017
The Social Security Number Fraud Prevention Act of 2017, Public Law
115-59, 131 Stat. 1152 (``SSN Fraud Prevention Act''), codified at 42
U.S.C. 405 note, requires the Department to promulgate rules that will:
(1) specify the circumstances under which inclusion of a Social
Security account number on a document sent by mail is necessary; (2)
instruct components on the partial redaction of Social Security account
numbers where feasible; and (3) require that Social Security account
numbers not be visible on the outside of any package sent by mail. This
proposal promulgates the above requirements.
Specifically, the updates define the term ``necessary'' to include
only those circumstances in which a component would be unable to
comply, in whole or in part, with a legal, regulatory, or policy
requirement if prohibited from mailing the full Social Security account
number. 28 CFR 16.53(b). The definition further specifies that
including the full Social Security account number on a document sent by
mail is not necessary if a legal, regulatory, or policy requirement
could be satisfied by either partially redacting the Social Security
account number or by removing the Social Security number entirely. Id.
Components are then restricted from including the full Social Security
account number on any document sent by mail unless the inclusion of the
Social Security account number on the document is necessary. 28 CFR
16.53(d). Unless the Attorney General directs otherwise, the CPCLO is
authorized to assist components in interpreting this paragraph. 28 CFR
16.53(d)(1).
The updates also instruct components, where feasible, to partially
redact the Social Security account number on any document sent by mail
by including no more than the last four digits of the Social Security
account number, while prioritizing technical methods to facilitate such
redactions. 28 CFR 16.53(d)(3).
H. Administrative Amendments
Finally, the rule amends 28 CFR part 16, subpart D, throughout to
correct minor administrative edits or to reorganize sentences,
sections, or paragraphs for readability.
IV. Regulatory Certifications
Executive Orders 12866 and 13563--Regulatory Review
This rule does not raise novel legal or policy issues, nor does it
adversely affect the economy, the budgetary impact of entitlements,
grants, user fees, loan programs, or the rights and obligations of
recipients thereof in a material way. The Department of Justice has
determined that this rule is not a ``significant regulatory action''
under Executive Order 12866, section 3(f), and accordingly this rule
has not been reviewed by the Office of Information and Regulatory
Affairs within the Office of Management and Budget (``OMB'') pursuant
to Executive Order 12866.
Regulatory Flexibility Act
This rule relates to individuals rather than small business
entities. Pursuant to the requirements of the Regulatory Flexibility
Act of 1980, 5 U.S.C. 601-612, therefore, the rule will not have a
significant economic impact on a substantial number of small entities.
Congressional Review Act
This rule is not a major rule as defined by the Congressional
Review Act, 5 U.S.C. 804. This rule will not result in an annual effect
on the economy of $100,000,000 or more; a major increase in costs or
prices; or significant adverse effects on competition, employment,
investment, productivity, innovation, or on the ability of United
States-based companies to compete with foreign-based companies in
domestic and export markets.
Paperwork Reduction Act
The Paperwork Reduction Act of 1995, 44 U.S.C. 3507(d), requires
the Department to consider the impact of paperwork and other
information collection burdens imposed on the public. The DOJ
Certification of Identity Form, DOJ-361, has been assigned OMB No.
1103-0016.
Unfunded Mandates Reform Act of 1995
This rule will not result in the expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of
$100,000,000 or more in any one year, and it will not significantly or
uniquely affect small governments. Therefore, no actions were deemed
necessary under the provisions of the Unfunded Mandates Reform Act of
1995.
Executive Order 13132--Federalism
This rule will not have substantial direct effects on the States,
on the relationship between the National Government and the States, or
on distribution of power and responsibilities among the various levels
of government. Therefore, in accordance with Executive Order 13132, it
is determined that this rule does not
[[Page 1450]]
have sufficient federalism implications to warrant the preparation of a
Federalism Assessment.
Executive Order 12988--Civil Justice Reform
This rule meets the applicable standards set forth in sections 3(a)
and 3(b)(2) of Executive Order 12988 to eliminate drafting errors and
ambiguity, minimize litigation, provide a clear legal standard for
affected conduct, and promote simplification and burden reduction.
Executive Order 13175--Consultation and Coordination With Indian Tribal
Governments
This rule will have no implications for Indian Tribal governments.
More specifically, it does not have substantial direct effects on one
or more Indian tribes, on the relationship between the Federal
Government and Indian tribes, or on the distribution of power and
responsibilities between the Federal Government and Indian tribes.
Therefore, the consultation requirements of Executive Order 13175 do
not apply.
List of Subjects in 28 CFR Part 16
Administrative practices and procedures, Courts, Freedom of
information, Privacy.
Pursuant to the authority vested in me by 5 U.S.C. 552a and 42
U.S.C. 405 note, the Department of Justice amends 28 CFR part 16 as
follows:
PART 16--PRODUCTION OR DISCLOSURE OF MATERIAL OR INFORMATION
0
1. The authority citation for part 16 is revised to read as follows:
Authority: 5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510,
534; 31 U.S.C. 3717; 42 U.S.C. 405.
0
2. Revise subpart D to read as follows:
Subpart D--Access to and Amendment of Individual Records Pursuant
to the Privacy Act of 1974, and Other Privacy Protections
Sec.
16.40 General provisions.
16.41 Privacy Act requests for access to records.
16.42 Responsibility for responding to Privacy Act requests for
access to records.
16.43 Responses to Privacy Act requests for access to records.
16.44 Classified information.
16.45 Privacy Act access appeals.
16.46 Privacy Act requests for amendment or correction.
16.47 Privacy Act requests for an accounting of record disclosures.
16.48 Preservation of records.
16.49 Fees.
16.50 Notice of compulsory legal process and emergency disclosures.
16.51 Security of systems of records.
16.52 Contracts for the operation of record systems.
16.53 Use and collection of Social Security account numbers.
16.54 Employee standards of conduct.
16.55 Other rights and services.
Sec. 16.40 General provisions.
(a) Purpose and scope. (1) This subpart contains the rules that the
Department of Justice (``DOJ'' or ``the Department'') follows when
handling records maintained by the Department in a system of records,
in accordance with the Privacy Act of 1974, as amended, 5 U.S.C. 552a
(``Privacy Act'' or ``PA''). This subpart describes the procedures by
which individuals can be notified if a Department system of records
contains records about themselves, may request access to records about
themselves maintained in a Department system of records, may request
amendment or correction of records about themselves maintained in a
Department system of records, and may request an accounting of
disclosures of records about themselves maintained in a Department
system of records. This subpart also establishes other procedures on
the appropriate maintenance of records by the Department and when
Privacy Act exemptions may apply. This subpart should be read together
with the Privacy Act, which provides additional information about
records maintained in agency systems of records, including those of the
Department.
(2) This subpart contains the procedures that the Department
follows when handling covered records maintained by the Department in a
system of records, in accordance with the Judicial Redress Act of 2015,
5 U.S.C. 552a note (``Judicial Redress Act''). This subpart should be
read together with the Privacy Act and the Judicial Redress Act, which
provide additional information about covered records maintained in
agency systems of records, including those of the Department.
(3) This subpart contains the procedures that the Department
follows when collecting, using, maintaining, or disclosing Social
Security account numbers, in accordance with the Privacy Act and the
Social Security Number Fraud Prevention Act of 2017, 42 U.S.C. 405 note
(``Social Security Number Fraud Prevention Act''). This subpart should
be read together with the Privacy Act and the Social Security Number
Fraud Prevention Act, which provide additional information about
agencies' maintenance of Social Security account numbers, including
that of the Department.
(b) Relationship to the Freedom of Information Act. The Department
also processes Privacy Act requests for access to records under the
Freedom of Information Act (FOIA), 5 U.S.C. 552, following the rules
contained in subpart A of this part, which gives requesters the
benefits of both statutes.
(c) Definitions. In addition to the definitions found under 5
U.S.C. 552a(a), and section (2)(h) of the Judicial Redress Act, as used
in this subpart:
Component means each separate bureau, office, board, division,
commission, service, or administration of the Department.
Privacy Act request for access means a request made in accordance
with 5 U.S.C. 552a(d)(1), and includes requests for a Privacy Act
access appeal, in accordance with this subpart.
Privacy Act request for amendment or correction means a request
made in accordance with 5 U.S.C. 552a(d)(2)-(4), and includes requests
for a Privacy Act amendment or correction appeal, in accordance with
this subpart.
Privacy Act request for an accounting means a request made in
accordance with 5 U.S.C. 552a(c)(3).
Requester means an individual who makes a Privacy Act request for
access, a Privacy Act request for amendment or correction, a Privacy
Act request for an accounting, or, as provided by the Judicial Redress
Act, a covered person who makes either a Privacy Act request for access
or a Privacy Act request for amendment or correction to covered
records.
System of Records Notice means the notice(s) published by the
Department in the Federal Register upon the establishment or
modification of a system of records describing the existence and
character of the system of records. A System of Records Notice
(``SORN'') may be composed of a single Federal Register notice
addressing all of the required elements that describe the current
system of records, or it may be composed of multiple Federal Register
notices that together address all of the required elements.
(d) Authority to request records for a law enforcement purpose. The
head of a component or a United States Attorney, or either's designee,
is authorized to make written requests under 5 U.S.C. 552a(b)(7), for
records maintained by other agencies that are necessary to carry out an
authorized law enforcement activity. The request must specify the
particular portion desired
[[Page 1451]]
and the law enforcement activity for which the record is sought.
(e) Judicial Redress Act application. (1) With respect to covered
records, the Judicial Redress Act authorizes a covered person to bring
a civil action against the Department and obtain civil remedies, in the
same manner, to the same extent, and subject to the same limitations,
including exemptions and exceptions, as an individual may bring a civil
action and obtain civil remedies with respect to records under 5 U.S.C.
552a(g)(1)(A), (B).
(2) To the extent consistent with the Judicial Redress Act, when
making a request for access, amendment, or correction to a covered
record, a covered person must follow the procedures outlined in this
subpart for making a Privacy Act request for access to a covered
record, or a Privacy Act request for amendment or correction of a
covered record. A covered person must exhaust the administrative
remedies, as outlined in this subpart, before the covered person may
bring a cause of action described in paragraph (e)(1) of this section.
(f) Providing written consent to disclose records protected under
the Privacy Act. The Department may disclose any record contained in a
system of records by any means of communication to any person, or to
another agency, pursuant to a written request by, or with the prior
written consent of, the individual about whom the record pertains. An
individual must verify the individual's identity in the same manner as
required by Sec. 16.41(d) when providing written consent to disclose a
record protected under the Privacy Act and pertaining to the
individual.
Sec. 16.41 Privacy Act requests for access to records.
(a) General information. (1) The Department has a decentralized
system for responding to Privacy Act requests for access to records,
with each component designating an office to process Privacy Act
requests for access to records maintained by that component. A
requester may make a Privacy Act request for access to records about
the requester by writing directly to the component that maintains the
records. All components have the capability to receive requests
electronically either through email or a web portal. The request should
be sent or delivered to the component's office at the address listed in
appendix I to this part, or in accordance with the access procedures
outlined in the corresponding SORN. The functions of each component are
summarized in part 0 of this title and in the description of the
Department and its components in the United States Government Manual,
which is updated on a year-round basis and is available free of charge
at https://www.usgovernmentmanual.gov/.
(2) If a requester cannot determine where within the Department to
send the Privacy Act request for access to records, the requester may
send it by mail to the FOIA/PA Mail Referral Unit, Justice Management
Division, Department of Justice, 950 Pennsylvania Avenue NW,
Washington, DC 20530-0001; by email to [email protected]; or
by fax to (202) 616-6695. The Mail Referral Unit will forward the
request to the component(s) it believes most likely to have the
requested records. For the quickest possible handling, the requester
should mark both the request letter and the envelope ``Privacy Act
Access Request.''
(b) Description of records sought. Requesters must describe the
records sought in sufficient detail to enable Department personnel to
locate the applicable system of records containing them with a
reasonable amount of effort. To the extent possible, requesters should
include specific information that may assist a component in identifying
the requested records, such as the name or identifying number of each
system of records in which the requester believes the records are
maintained, or the date, title, name, author, recipient, case number,
file designation, reference number, or subject matter of the record.
The Department publishes SORNs in the Federal Register that describe
the type and categories of records maintained in Department-wide and
component-specific systems of records. Department SORNs may be found in
published issues of the Federal Register and a list is available at
https://www.justice.gov/opcl/doj-systems-records. Requesters may also
request the record in a particular form or format.
(c) Agreement to pay fees. A Privacy Act request for access may
specify the amount of fees that the requester is willing to pay in
accordance with Sec. 16.49. The component responsible for responding
to the request shall confirm this agreement in an acknowledgement
letter, in accordance with Sec. 16.43.
(d) Verification of identity. (1) A requester must verify the
requester's identity when making a Privacy Act request for access. The
requester must state the requester's full name, current address, and
date and place of birth. The requester must:
(i) Sign the request, and the signature must either be notarized or
submitted by the requester under 28 U.S.C. 1746, a law that permits
statements to be made under penalty of perjury as a substitute for
notarization; or
(ii) When available, use one of the Department's approved digital
services, as indicated on the Department's Privacy Act Request web
page, to verify the identity of the requester through identity proofing
and authentication processes.
(2) While no specific form is required, the requester may obtain
forms for this purpose from the FOIA/PA Mail Referral Unit, Justice
Management Division, Department of Justice, 950 Pennsylvania Avenue NW,
Washington, DC 20530-0001, or obtain the form at https://www.justice.gov/oip/doj-reference-guide-attachment-d-copies-forms.
(3) To help identify and locate requested records, a requester may
also include, at the requester's option, any additional identifying
information which may be helpful in identifying and locating the
requested records. Components shall establish appropriate
administrative, technical, and physical safeguards to ensure the
security and confidentiality of information provided by the requester,
and to protect against any anticipated threats, in accordance with
Sec. 16.51.
(e) Verification of guardianship. (1) The parent of a minor, or the
legal guardian of an individual who has been declared incompetent due
to physical or mental incapacity or age by a court of competent
jurisdiction, is permitted to act on behalf of the individual. In order
for a parent of a minor or the legal guardian of an individual to make
a Privacy Act request for access on behalf of the individual, the
parent or legal guardian must establish:
(i) The identity of the individual who is the subject of the
request, by stating the name, current address, date and place of birth,
and, at the parent or legal guardian's option, any additional
identifying information that may be helpful in identifying and locating
the requested records;
(ii) The parent or legal guardian's own identity, as required in
paragraph (d) of this section;
(iii) Proof of parentage or legal guardianship, which may be proven
by providing a copy of the individual's birth certificate or by
providing a court order establishing legal guardianship; and
(iv) That the parent or legal guardian is acting on behalf of that
individual in making the request.
(2) Components shall establish appropriate administrative,
technical, and physical safeguards to ensure the security and
confidentiality of information provided by the parent or
[[Page 1452]]
legal guardian, and to protect against any anticipated threats, in
accordance with Sec. 16.51.
Sec. 16.42 Responsibility for responding to Privacy Act requests for
access to records.
(a) In general. Except as stated in paragraphs (c) through (f) of
this section, the component that first receives a Privacy Act request
for access is the component responsible for responding to the request.
In determining which records are responsive to a request, a component
ordinarily will include only those records it maintained as of the date
the component begins its search. If any other date is used, the
component shall inform the requester of that date.
(b) Authority to grant or deny requests. The head of a component,
or the component head's designee, is authorized to grant or deny any
Privacy Act request for access to records maintained by that component.
(c) Re-routing of misdirected requests. When a component's FOIA/
Privacy Act office determines that a request was misdirected within the
Department, the receiving component's FOIA/Privacy Act office shall
route the request to the FOIA/Privacy Act office of the proper
component(s).
(d) Consultations, referrals, and coordination. When a component
receives a Privacy Act request for access to a record in its
possession, it shall determine whether another component, or another
agency of the Federal Government, is better able to determine whether
the record is exempt from access under the Privacy Act. If the
receiving component determines that it is best able to process the
record in response to the request, then it shall do so. If the
receiving component determines that it is not best able to process the
record, then it shall follow the consultation, referral, and
coordination procedures under Sec. 16.4, subject to the requirements
in this section. Components may make agreements with other components
or agencies to eliminate the need for consultations or referrals for
particular types of records.
(e) Consultations, referrals, and coordination concerning law
enforcement information. When a component receives a Privacy Act
request for access to a record in its possession containing information
that relates to an investigation of a possible violation of law and
that originated with another component or agency of the Federal
Government, the receiving component shall either refer the
responsibility for responding to the request regarding that information
to that other component or agency or shall consult with that other
component or agency.
(f) Consultations, referrals, and coordination concerning
classified information. (1) When a component receives a Privacy Act
request for access to a record containing information that has been
classified or may be appropriate for classification by another
component or agency under any applicable Executive order concerning the
classification of records, the receiving component shall consult with
or refer the responsibility for responding to the request regarding
that information to the component or agency that classified the
information, or that should consider the information for
classification.
(2) When a component receives a Privacy Act request for access to a
record containing information that has been derivatively classified,
the receiving component shall consult with or refer the responsibility
for responding to that portion of the request to the component or
agency that classified the underlying information.
Sec. 16.43 Responses to a Privacy Act requests for access to
records.
(a) In general. Components should, to the extent practicable,
communicate with requesters who have access to the internet using
electronic means, such as through email or a web portal. A component
shall honor a requester's preference for receiving a record in a
particular form or format where it is readily reproducible by the
component in the form or format requested.
(b) Acknowledgement of requests. The component responsible for
responding to the request must acknowledge, in writing, receipt of a
Privacy Act request for access. A component shall initially respond to
the requester by acknowledging the Privacy Act request for access,
assigning the request an individualized tracking number, and, if
applicable, confirming, in writing, the requester's agreement to pay
fees in accordance with Sec. 16.49.
(c) Timing of responses to a Privacy Act request for access. (1)
Components ordinarily will respond to Privacy Act requests for access
according to their order of receipt. The response time will commence on
the date that the request is received by the proper component's office
designated to receive requests, but in any event not later than ten
(10) working days after the request is first received by any
component's office designated by this subpart to receive requests.
(2) A component may designate multiple processing tracks that
distinguish between simple and more complex Privacy Act requests for
access, based on the estimated amount of work or time needed to process
the request. Among the factors a component may consider are the number
of pages involved in processing the request and the need for
consultations or referrals. Components may advise requesters of the
track into which their request falls and, when appropriate, may offer
requesters an opportunity to narrow their request so that it can be
placed in a different processing track.
(d) Granting a Privacy Act request for access. Once a component
makes a determination to grant a Privacy Act request for access, in
whole or in part, it shall notify the requester in writing. The
component shall inform the requester in the notice of any fee charged
under Sec. 16.49 and shall disclose records to the requester promptly
on payment of any applicable fee.
(e) Adverse determination to a Privacy Act request for access. A
component that makes an adverse determination to a Privacy Act request
for access, in whole or in part, shall notify the requester of the
adverse determination in writing. An adverse determination to a Privacy
Act request for access includes a determination by the component that:
the request did not reasonably describe the record sought; the
information requested is not a record subject to the Privacy Act; the
requested record is not maintained in a system of records; the
requested record is exempt, in whole or in part, from a Privacy Act
request for access under applicable exemption(s); the requested record
does not exist, cannot be located, or has been destroyed; the record is
not readily reproducible in a comprehensible form; or there is a matter
regarding disputed fees.
(f) Content of adverse determination response. An adverse
determination to a Privacy Act request for access, in whole or in part,
shall be signed by the head of the component, or the component head's
designee, and shall include:
(1) The name and title or position of the person responsible for
the adverse determination to the Privacy Act request for access;
(2) A brief statement of the reason(s) for the adverse
determination to the Privacy Act request for access, including any
Privacy Act exemption(s) applied by the component;
(3) An estimate of the volume of any records or information
withheld, if applicable, such as the number of pages or some other
reasonable form of estimation, although such an estimate is not
required if the volume is otherwise indicated or if providing an
estimate
[[Page 1453]]
would harm an interest protected by an applicable exemption; and
(4) A statement that the adverse determination to the Privacy Act
request for access may be appealed under Sec. 16.45, and a description
of the requirements set forth in Sec. 16.45.
Sec. 16.44 Classified information.
In processing a Privacy Act request for access, a Privacy Act
request for amendment or correction, or a Privacy Act request for
accounting, in which information is classified under any applicable
Executive order concerning the classification of records, to the extent
the requester lacks the appropriate security clearance and fails
otherwise to meet all requirements to access the classified record or
information, the originating component shall review the information in
the record to determine whether it should remain classified.
Information determined to no longer require classification shall be de-
classified and the record evaluated for an appropriate release to the
requester, subject to any applicable exemptions or exceptions. On
receipt of any appeal involving classified information, the official
responsible for adjudicating the appeal shall take appropriate action
to ensure compliance with part 17 of this title.
Sec. 16.45 Privacy Act access appeals.
(a) Requirement for making a Privacy Act access appeal. A requester
may appeal an adverse determination to a Privacy Act request for access
to the Office of Information Policy (``OIP''). The contact information
for OIP is contained in the FOIA Reference Guide, which is available at
https://www.justice.gov/oip/04_3.html. Appeals may also be submitted
through the web portal accessible on OIP's website. Examples of an
adverse determination to a Privacy Act request for access are provided
in Sec. 16.43. The requester must make the appeal in writing. To be
considered timely, the requester must postmark, or in the case of
electronic submissions, submit the request, within 90 calendar days
after the date of the adverse determination. The appeal should indicate
the assigned request number and clearly identify the component's
determination that is being appealed. To facilitate handling, the
requester should mark both the appeal letter and envelope, or include
in the subject line of any electronic communication, ``Privacy Act
Access Appeal.''
(b) Adjudication of Privacy Act access appeals. (1) The Director of
OIP, or a designee of the Director of OIP, shall act on behalf of the
Attorney General on all Privacy Act access appeals under this section,
unless the Attorney General directs otherwise.
(2) Should the Attorney General exercise the right to respond to a
Privacy Act request for access, the Attorney General's decision shall
serve as the final action of the Department and will not be subject to
a Privacy Act access appeal.
(3) A Privacy Act access appeal ordinarily will not be adjudicated
if the request becomes a matter of litigation.
(c) Responses to Privacy Act access appeals. (1) OIP shall make its
decision on an appeal in writing.
(2) A decision that upholds a component's adverse determination to
the Privacy Act request for access, in whole or in part, shall include
a brief statement of the reason(s) for the affirmance, including any
Privacy Act exemption applied, and shall provide the requester with
notification of the statutory right to file a lawsuit.
(3) A decision that reverses or modifies, in whole or in part, a
component's adverse determination to the Privacy Act request for access
shall include notice to the requester of the specific reversal or
modification. The component(s) shall thereafter further process the
request, in accordance with the appeal decision, and respond directly
to the requester, as appropriate.
(d) When a Privacy Act access appeal is required. Before seeking
review by a court of a component's refusal to grant a Privacy Act
request for access, a requester generally must first submit a timely
appeal in accordance with this section.
Sec. 16.46 Privacy Act requests for amendment or correction.
(a) Requirements for making a Privacy Act request for amendment or
correction. Unless the record is not subject to amendment or
correction, as stated in paragraph (i) of this section, individuals may
make a Privacy Act request for amendment or correction of a Department
record about themselves. Requesters must write directly to the
Department component that maintains the record. A Privacy Act request
for amendment or correction shall identify each particular record in
question, state the amendment or correction that the requester would
like to make, and state why the requester believes the record is not
accurate, relevant, timely, or complete. Requesters may submit any
documentation that would be helpful in determining the accuracy,
relevance, timeliness, or completeness of the record. If the requester
believes that the same record is in more than one Department system of
records, the requester should address the request to each component
that the requester believes maintains the record. For the quickest
possible handling, requesters should mark both their request letter and
envelope ``Privacy Act Amendment Request.'' Components and requesters
must otherwise follow the procedures and responsibilities set forth in
Sec. Sec. 16.41 and 16.42.
(b) Timing of responses to a Privacy Act request for amendment or
correction. (1) Components responsible for responding to a Privacy Act
request for amendment or correction must acknowledge, in writing,
receipt of the request no later than ten (10) working days after
receipt.
(2) Components must promptly respond to a Privacy Act request for
amendment or correction. Components ordinarily will respond to Privacy
Act requests for amendment or correction according to their order of
receipt. The response time will commence on the date that the request
is received by the proper component's office designated to receive
requests, but in any event no later than ten (10) working days after
the request is first received by any component's office designated by
this subpart to receive requests.
(3) A component may designate multiple processing tracks that
distinguish between simple and more complex Privacy Act requests for
amendment or correction, based on the estimated amount of work or time
needed to process the request. Among the factors a component may
consider are the number of pages involved in processing the request and
the need for consultations or referrals. Components may advise
requesters of the track into which their request falls and, when
appropriate, may offer requesters an opportunity to narrow their
request so that it can be placed in a different processing track.
(c) Granting a Privacy Act request for amendment or correction. If
a component grants a Privacy Act request for amendment or correction,
in whole or in part, it shall notify the requester in writing. The
component shall describe the amendment or correction made and shall
advise the requester of the requester's right to obtain a copy of the
corrected or amended record, in accordance with the Privacy Act right
of access procedures described in Sec. Sec. 16.41 through 16.45.
(d) Adverse determination to a Privacy Act request for amendment or
correction. A component that makes an adverse determination to a
Privacy Act request for amendment or correction, in whole or in part,
shall notify the requester of the determination in
[[Page 1454]]
writing. An adverse determination to a Privacy Act request for
amendment or correction includes a decision by the component that: the
information at issue is not a record as defined by the Privacy Act; the
requested record is not subject to amendment or correction as stated in
paragraph (i) of this section; the request does not reasonably describe
the records sought or the amendment or correction to that record; the
record at issue does not exist, cannot be located, has been destroyed,
or otherwise cannot be amended or corrected; or the record is
maintained with such accuracy, relevance, timeliness, and completeness
as is reasonably necessary to assure fairness in any determination
about the individual about whom the record pertains.
(e) Content of adverse determination response. An adverse
determination to a Privacy Act request for amendment or correction, in
whole or in part, shall be signed by the head of the component, or the
component head's designee, and shall include:
(1) The name and title or position of the person responsible for
the adverse determination to the Privacy Act request for amendment or
correction;
(2) A brief statement of the reason(s) for the adverse
determination to the Privacy Act request for amendment or correction,
including any Privacy Act exemption(s) applied by the component; and
(3) A statement that the adverse determination to the Privacy Act
request for amendment or correction may be appealed under paragraph (f)
of this section and a description of the requirements set forth in
paragraph (f).
(f) Privacy Act amendment appeals. (1) A requester may appeal an
adverse determination to a Privacy Act request for amendment or
correction, in whole or in part, to the Office of Privacy and Civil
Liberties (``OPCL''). The contact information for OPCL is available at
https://www.justice.gov/privacy. The requester must make the appeal in
writing. To be considered timely, the requester must postmark the
appeal request, or in the case of electronic submissions, submit the
appeal request, within 90 calendar days after the date of the
component's refusal to grant a Privacy Act request for amendment or
correction. The appeal should indicate the assigned request number and
clearly identify the component's determination that is being appealed.
To facilitate handling, the requester should mark both the appeal
letter and envelope, or include in the subject line of the electronic
transmission, ``Privacy Act Amendment Appeal.''
(2) The Chief Privacy and Civil Liberties Officer (``CPCLO''), or a
designee of the CPCLO, will act on behalf of the Attorney General on
all Privacy Act amendment appeals under this section, unless otherwise
directed by the Attorney General.
(3) A Privacy Act amendment appeal ordinarily will not be
adjudicated if the request becomes a matter of litigation.
(4) A decision on a Privacy Act amendment appeal must be made in
writing. A decision that upholds a component's adverse determination to
a Privacy Act request for amendment or correction, in whole or in part,
shall include a brief statement of the reason(s) for the affirmance,
including any Privacy Act exemption applied, whether the requester has
a right to file a Statement of Disagreement, as described in paragraph
(g) of this section, and the requester's statutory right to file a
lawsuit. A decision that reverses or modifies a component's adverse
determination to a Privacy Act request for amendment or correction, in
whole or in part, shall notify the requester of the specific reversal
or modification. The component shall thereafter further process the
request, in accordance with the appeal decision, and respond directly
to the requester, as appropriate.
(g) Statement of Disagreement. If a request is subject to a Privacy
Act request for amendment or correction, but the component's adverse
determination to a Privacy Act request for amendment or correction is
upheld, in whole or in part, the requester has the right to file a
Statement of Disagreement that states the requester's reason(s) for
disagreeing with the Department's refusal to grant the requester's
Privacy Act request for amendment or correction. Statements of
Disagreement must be concise, must clearly identify each part of any
record that is disputed, and should be no longer than one typed page
for each fact disputed. A Statement of Disagreement must be sent to the
component involved, which shall place it in the system of records in
which the disputed record is maintained so that the Statement of
Disagreement supplements the disputed record. The component shall mark
the disputed record to indicate that a Statement of Disagreement has
been filed and where in the system of records it may be found.
(h) Notification of amendment, correction, or Statement of
Disagreement. Within thirty (30) working days of the amendment or
correction of a record, the component that maintains the record shall
notify all persons, organizations, or agencies to which it previously
disclosed the record, if an accounting of that disclosure was made,
that the record has been amended or corrected. If an individual has
filed a Statement of Disagreement, the component shall append a copy of
it to the disputed record whenever the record is disclosed. The
component may also append a concise statement of its reason(s) for
denying the Privacy Act request for amendment or correction of the
record.
(i) Records not subject to amendment or correction. The following
records are not subject to amendment or correction:
(1) Copies of court records;
(2) Transcripts of testimony given under oath or written statements
made under oath;
(3) Transcripts of grand jury proceedings, judicial proceedings, or
quasi-judicial proceedings, which are the official record of those
proceedings;
(4) Presentence reports, and other records pertaining directly to
such reports originating with the courts;
(5) Records in a system of records that have been exempted from
amendment and correction, pursuant to 5 U.S.C. 552a(j) or (k), through
the applicable regulations in this subpart; and
(6) Records not maintained in a system of records.
Sec. 16.47 Privacy Act requests for an accounting of record
disclosures.
(a) Requirements for making a Privacy Act request for accounting of
record disclosures. Except where accountings of disclosures are not
required to be kept as stated in paragraph (c) of this section,
individuals may make a Privacy Act request for an accounting of record
disclosures about themselves that have been made by the Department to
another person, organization, or agency. This accounting contains the
date, nature, and purpose of each disclosure, as well as the name and
address of the person, organization, or agency to which the disclosure
was made. If the requester believes that the same record is in more
than one system of records, the requester should address their request
to each component that the requester believes maintains the record. For
the quickest possible handling, requesters should mark both their
request letters and envelopes ``Privacy Act Accounting Request.''
Requests must otherwise follow the procedures in Sec. 16.41.
(b) Processing Privacy Act requests for an accounting of record
disclosures. Unless otherwise specified in this section, components
shall process Privacy Act requests for accountings of record
disclosures following the procedures in Sec. Sec. 16.42 and 16.43.
(c) Where accountings of record disclosures are not required.
[[Page 1455]]
Components are not required to provide Privacy Act accountings of
record disclosures to a requester in cases in which they relate to:
(1) Disclosures of information not subject to the Privacy Act;
(2) Disclosures of records not maintained in a system of records;
(3) Disclosures of records maintained in a system of records for
which accountings are not required to be kept, including disclosures to
those officers and employees of the Department who have a need for the
record in the performance of their duties, 5 U.S.C. 552a(b)(1), or
disclosures that are required under the FOIA, 5 U.S.C. 552a(b)(2);
(4) Disclosures made to law enforcement agencies for authorized law
enforcement activities in response to written requests from those law
enforcement agencies specifying the law enforcement activities for
which the disclosures are sought; or
(5) Disclosures made from systems of records that have been
exempted from the accounting of record disclosure requirements pursuant
to the Privacy Act, 5 U.S.C. 552a(j) or (k), through the applicable
regulations in this subpart.
(d) Appeals. A requester may appeal a component's refusal to grant
a Privacy Act request for an accounting of record disclosures in the
same manner, and under the same procedures, as a Privacy Act access
appeal, as set forth in Sec. 16.45.
Sec. 16.48 Preservation of records.
Each component shall preserve all correspondence pertaining to the
requests that it receives under this subpart, as well as copies of all
requested records, until disposition or destruction is authorized by
title 44 of the United States Code or by the National Archives and
Records Administration's General Records Schedule 4.2. Records shall
not be disposed of while they are the subject of a pending request,
appeal, or lawsuit under the Privacy Act.
Sec. 16.49 Fees.
Components shall charge fees for duplication of records under the
Privacy Act in the same way in which they charge duplication fees for
responding to FOIA requests under Sec. 16.10. No search or review fee
may be charged for any record unless the record has been exempted from
access pursuant to exemptions enumerated in the Privacy Act, 5 U.S.C.
552a(j)(2) or (k)(2).
Sec. 16.50 Notice of compulsory legal process and emergency
disclosures.
(a) Legal process disclosures. Components shall make reasonable
efforts to provide notice to an individual whose record is disclosed
under compulsory legal process, such as an order by a court of
competent jurisdiction, and such process becomes a matter of public
record. Notice shall be given within a reasonable time after the
component's receipt of process, except that in a case in which such
process is not a matter of public record, the notice shall be given
within a reasonable time only after such process becomes public. Where
an individual, or the individual's legal counsel, has not otherwise
received notice of the disclosure in the litigation process, notice
shall be mailed to the individual's last known address and shall
contain a copy of such process and a description of the information
disclosed. Notice shall not be required if disclosure is made from a
system of records that has been exempted from the notice requirement.
(b) Emergency disclosures. Upon disclosing a record pertaining to
an individual made under compelling circumstances affecting health or
safety, the component shall notify that individual of the disclosure.
This notice shall be mailed to the individual's last known address and
shall state the nature of the information disclosed; the person,
organization, or agency to which it was disclosed; the date of
disclosure; and the compelling circumstances justifying the disclosure.
Sec. 16.51 Security of systems of records.
(a) Each component shall establish and maintain administrative,
technical, and physical controls consistent with applicable Department
and Government-wide laws, regulations, policies, and standards, to
ensure the security and confidentiality of records, and to protect
against reasonably anticipated threats or hazards to their security or
integrity, including against any reasonably anticipated unauthorized
access, use, or disclosure, which could result in substantial harm,
embarrassment, inconvenience, or unfairness to individuals about whom
information is maintained. The stringency of these controls shall
correspond to the sensitivity of the records that the controls protect.
At a minimum, each component shall maintain administrative, technical,
or physical controls to ensure that:
(1) Records are protected from unauthorized access, including
unauthorized public access;
(2) The physical area in which records are maintained is supervised
or appropriately secured to prevent unauthorized persons from having
access to them;
(3) Records are protected from damage, loss, or unauthorized
alteration or destruction; and
(4) Records are not disclosed to unauthorized persons or to
authorized persons for unauthorized purposes in either oral or written
form.
(b) Each component shall establish procedures that restrict access
to records to only those individuals within the Department who must
have access to those records in order to perform their duties and that
prevent inadvertent disclosure of records.
(c) The CPCLO, or a designee of the CPCLO, may impose additional
administrative, technical, or physical controls to protect records in
consultation with the Chief Information Officer and the Director of the
Office of Records Management Policy.
Sec. 16.52 Contracts for the operation of record systems.
(a) Any approved contract for the operation of a system of records
shall contain the standard contract terms and conditions in accordance
with the Federal Acquisition Regulations in 48 CFR chapter 28 and may
also contain additional privacy-related terms and conditions to ensure
compliance with the requirements of the Privacy Act for that system of
records. The contracting component will be responsible for ensuring
that the contractor complies with these contract requirements.
(b) The CPCLO, a designee of the CPCLO, or contracting components
may impose additional contract requirements to further protect records.
Sec. 16.53 Use and collection of Social Security account numbers.
(a) Purpose and scope. This section contains the rules that the
Department of Justice follows in handling Social Security account
numbers in accordance with section 7 of the Privacy Act, and with the
Social Security Fraud Prevention Act.
(b) Definitions. For the purposes of this section:
Mail means any physical package sent to entities or individuals
outside the Department through the United States Postal Service or any
other express mail carrier; and
Necessary includes only those circumstances in which a component
would be unable to comply, in whole or in part, with a legal,
regulatory, or policy requirement if prohibited from mailing the full
Social Security account number. Including the full Social Security
account number of an individual on a document sent by mail is not
``necessary'' if a legal, regulatory, or policy requirement could be
satisfied
[[Page 1456]]
by either partially redacting the Social Security account number in
accordance with paragraph (d)(3) of this section, or entirely removing
the Social Security account number.
(c) Denial of rights, benefits, or privileges. Components are
prohibited from denying any right, benefit, or privilege provided by
law to an individual because of such individual's refusal to disclose
the individual's Social Security account number. This paragraph (c)
shall not apply with respect to:
(1) Any disclosure that is required by Federal statute; or
(2) The disclosure of a Social Security account number to any
Federal, State, or local agency maintaining a system of records in
existence and operating before January 1, 1975, if such disclosure was
required under statute or regulation adopted prior to such date to
verify the identity of an individual.
(d) Restriction of Social Security account numbers on documents
sent by mail. (1) A component shall not include the full Social
Security account number of an individual on any document sent by mail,
unless the inclusion of the Social Security account number on the
document is necessary. Unless the Attorney General directs otherwise,
the CPCLO is authorized to assist components in implementing this
paragraph (d), including determining whether inclusion of the Social
Security account number on a document sent by mail is necessary.
(2) If the use of the full Social Security account number on a
document sent by mail is necessary, the component sending the document
shall implement appropriate administrative, technical, and physical
safeguards to ensure a reasonable level of security against
unauthorized access to, and use, disclosure, disruption, modification,
or destruction of, the documents sent by mail.
(3) Where feasible, components should partially redact the Social
Security account number on any document sent by mail by including no
more than the last four digits of the Social Security account number.
Components should prioritize technical methods to redact Social
Security account numbers.
(4) Components are prohibited from placing a Social Security
account number, whether full or partially redacted, on the outside of
any mail.
(e) Employee awareness. Each component shall ensure that employees
authorized to collect Social Security account numbers are made aware of
the following:
(1) The requirements of paragraphs (c) and (d) of this section;
(2) That individuals requested to provide their Social Security
account numbers must be informed of:
(i) Whether providing Social Security account numbers is mandatory
or voluntary;
(ii) Any statutory or regulatory authority that authorizes the
collection of Social Security account numbers; and
(iii) The uses that will be made of the Social Security account
numbers; and
(3) That the Department may have other regulations or polices
regulating the use, maintenance, or disclosure of Social Security
account numbers by which employees must abide.
Sec. 16.54 Employee standards of conduct.
Each component shall inform its employees and any contractors
involved in developing or maintaining a system of records of the
provisions of the Privacy Act, including the Privacy Act's civil
liability and criminal penalty provisions. Unless otherwise permitted
by law, employees and contractors of the Department shall:
(a) Collect from individuals only the information that is relevant
and necessary to discharge the responsibilities of the Department;
(b) Collect information about an individual directly from that
individual whenever practicable;
(c) Inform each individual asked to supply information for a record
pertaining to that individual of:
(1) The legal authority to collect the information and whether
providing it is mandatory or voluntary;
(2) The principal purpose for which the Department intends to use
the information;
(3) The routine uses the Department may make of the information;
and
(4) The effects on the individual, if any, of not providing the
information;
(d) Ensure that the component maintains no system of records
without public notice and that it notifies appropriate Department
officials of the existence or development of any system of records that
is not the subject of a current or planned public notice;
(e) Maintain all records that are used by the Department in making
any determination about an individual with such accuracy, relevance,
timeliness, and completeness as is reasonably necessary to ensure
fairness to the individual in the determination;
(f) Except as to disclosures made to an agency or made under the
FOIA, make reasonable efforts, prior to disseminating any record about
an individual, to ensure that the record is accurate, relevant, timely,
and complete;
(g) Maintain no record describing how an individual exercises the
individual's First Amendment rights, unless maintaining the record is
expressly authorized by statute or by the individual about whom the
record is maintained, or is pertinent to and within the scope of an
authorized law enforcement activity;
(h) When required by the Privacy Act, maintain an accounting in the
specified form of all disclosures of records by the Department to
persons, organizations, or agencies;
(i) Maintain and use records with care to prevent the loss or the
unauthorized or inadvertent disclosure of a record to anyone;
(j) Notify the appropriate Department official of any record that
contains information that the Privacy Act does not permit the
Department to maintain; and
(k) Read, acknowledge, and agree to abide by the Department of
Justice rules of behavior for accessing, collecting, using, and
maintaining Department information.
Sec. 16.55 Other rights and services.
Nothing in this subpart shall be construed to entitle any person,
as of right, to any service or to the disclosure of any record to which
such person is not entitled under the Privacy Act, the Social Security
Fraud Reduction Act, or the Judicial Redress Act.
0
3. Amend appendix I to part 16 by revising the first two paragraphs to
read as follows:
Appendix I to Part 16--Components of the Department of Justice
Please consult Attachment B of the Department of Justice FOIA
Reference Guide for the contact information and a detailed
description of the types of records maintained by each Department
component. The FOIA Reference Guide is available at https://www.justice.gov/oip/department-justice-freedom-information-act-reference-guide or upon request to the Office of Information Policy
(OIP).
The Department component offices, and any component-specific
requirements, for making a FOIA or Privacy Act request are listed in
this appendix. The Certification
of Identity form, available at https://www.justice.gov/oip/doj-reference-guide-attachment-d-copies-forms, may be used by
individuals who are making requests for records pertaining to
themselves. For each of the six components marked with an asterisk,
FOIA and Privacy Act requests for access must be sent to OIP, which
handles initial requests for those six components.
* * * * *
[[Page 1457]]
Dated: January 2, 2024.
Merrick B. Garland,
Attorney General.
[FR Doc. 2024-00282 Filed 1-9-24; 8:45 am]
BILLING CODE 4410-PJ-P