Federal Agency Responsibilities for Maintaining Records About Individuals
1. Purpose and Scope.
This Appendix describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. Note that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting Matching Programs (54 FR at 25819, June 19, 1989).
- The terms "agency," "individual," "maintain," "matching program," "record," "system of records," and "routine
use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a(a)).
- Matching Agency. Generally, the Recipient Federal agency (or the Federal
source agency in a match conducted by a nonfederal agency) is the matching
agency and is responsible for meeting the reporting and publication requirements
associated with the matching program. However, in large, multi-agency matching
programs, where the recipient agency is merely performing the matches and the
benefit accrues to the source agencies, the partners should assign responsibility
for compliance with the administrative requirements in a fair and reasonable
way. This may mean having the matching agency carry out these requirements
for all parties, having one participant designated to do so, or having each
source agency do so for its own matching program(s).
- Nonfederal Agency. Nonfederal agencies are State or local governmental agencies
receiving or providing records in a matching program with a Federal agency.
- Recipient Agency. Recipient agencies are Federal agencies or their contractors
receiving automated records from the Privacy Act systems of records of other
Federal agencies, or from State or local governments, to be used in a matching
program as defined in the Act.
- Source Agency. A source agency is a Federal agency that discloses automated records from a system of records to another Federal agency or to a State or local agency to be used in a matching program. It is also a State or local agency that discloses records to a Federal agency for use in a matching program.
3. Assignment of Responsibilities.
- All Federal Agencies. In addition to meeting the agency requirements contained
in the Act and the specific reporting and publication requirements detailed
in this Appendix, the head of each agency shall ensure that the following reviews
are conducted as often as specified below, and be prepared to report to the
Director, OMB, the results of such reviews and the corrective action taken
to resolve problems uncovered. The head of each agency shall:
(1) Section (m) Contracts. Review every two years a random sample of agency contracts that provide for the maintenance of a system of records on behalf of the agency to accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act binding on the contractor and his or her employees. (See 5 U.S.C. 552a(m)(1))
(2) Recordkeeping Practices. Review biennially agency recordkeeping and disposal policies and practices in order to assure compliance with the Act, paying particular attention to the maintenance of automated records.
(3) Routine Use Disclosures. Review every four years the routine use disclosures associated with each system of records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for which the disclosing agency collected the information.
(4) Exemption of Systems of Records. Review every four years each system of records for which the agency has promulgated exemption rules pursuant to Section (j) or (k) of the Act in order to determine whether such exemption is still needed.
(5) Matching Programs. Review annually each ongoing matching program in which the agency has participated during the year in order to ensure that the requirements of the Act, the OMB guidance, and any agency regulations, operating instructions, or guidelines have been met.
(6) Privacy Act Training. Review biennially agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, with the agency's implementing regulation, and with any special requirements of their specific jobs.
(7) Violations. Review biennially the actions of agency personnel that have resulted either in the agency being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, in order to determine the extent of the problem, and to find the most effective way to prevent recurrence of the problem.
(8) Systems of Records Notices. Review biennially each system of records notice to ensure that it accurately describes the system of records. Where minor changes are needed, e.g., the name of the system manager, ensure that an amended notice is published in the Federal Register. Agencies may choose to make one annual comprehensive publication consolidating such minor changes. This requirement is distinguished from and in addition to the requirement to report to OMB and Congress significant changes to systems of records and to publish those changes in the Federal Register (See paragraph 4c of this Appendix).
- Department of Commerce. The Secretary of Commerce shall, consistent with
guidelines issued by the Director, OMB, develop and issue standards and guidelines
for ensuring the security of information protected by the Act in automated
- The Department of Defense, General Services Administration, and National
Aeronautics and Space Administration. These agencies shall, consistent with
guidelines issued by the Director, OMB, ensure that instructions are issued
on what agencies must do in order to comply with the requirements of Section
(m) of the Act when contracting for the operation of a system of records to
accomplish an agency purpose.
- Office of Personnel Management. The Director of the Office of Personnel Management
shall, consistent with guidelines issued by the Director, OMB:
(1) Develop and maintain government-wide standards and procedures for civilian personnel information processing and recordkeeping directives to assure conformance with the Act.
(2) Develop and conduct Privacy Act training programs for agency personnel, including both the conduct of courses in various substantive areas (e.g., administrative, information technology) and the development of materials that agencies can use in their own courses. The assignment of this responsibility to OPM does not affect the responsibility of individual agency heads for developing and conducting training programs tailored to the specific needs of their own personnel.
- National Archives and Records Administration. The Archivist of the United
States through the Office of the Federal Register, shall, consistent with guidelines
issued by the Director, OMB:
(1) Issue instructions on the format of the agency notices and rules required to be published under the Act.
(2) Compile and publish every two years, the rules promulgated under 5 U.S.C. 552a(f) and agency notices published under 5 U.S.C. 552a(e)(4) in a form available to the public at low cost.
(3) Issue procedures governing the transfer of records to Federal Records Centers for storage, processing, and servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are considered to be maintained by the agency that deposited them. The Archivist may disclose deposited records only according to the access rules established by the agency that deposited them.
- Office of Management and Budget. The Director of the Office of Management
and Budget will:
(1) Issue guidelines and directives to the agencies to implement the Act.
(2) Assist the agencies, at their request, in implementing their Privacy Act programs.
3) Review new and altered system of records and matching program reports submitted pursuant to Section (o) of the Act.
(4) Compile the biennial report of the President to Congress in accordance with Section(s) of the Act.
(5) Compile and issue a biennial report on the agencies' implementation of the computer matching provisions of the Privacy Act, pursuant to Section (u)(6) of the Act.
4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds of reports:
Biennial Privacy Act Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
Biennial Matching Activity Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
New System of Records Report When establishing a system of records - at least 40 days before operating the system * Administrator, OIRA, Congress
Altered System of Records Report When adding a new routine use, exemption, or otherwise significantly altering an existing system of records - at least 40 days before change to system takes place * Administrator, OIRA, Congress
New Matching Program Report When establishing a new matching program - at least 40 days before operating the program * Administrator, OIRA, Congress
Renewal of Existing Matching Program At least 40 days prior to expiration of any one year extension of the original program - treat as a new program Administrator, OIRA, Congress
Altered Matching Program When making a significant change to an existing matching program - at least 40 days before operating an altered program * Administrator, OIRA, Congress
Matching Agreements At least 40 days prior to the start of a matching program * Congress
* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional ten days will ensure that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure that reports are mailed expeditiously after being signed.
** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"
House of Representatives: The Chair of the House Committee on Government Reform and Oversight, 2157 RHOB, Washington, D.C. 20515-6143.
Senate: The Chair of the Senate Committee on Governmental Affairs, 340 SDOB, Washington, D.C. 20510-6250.
Office of Management and Budget: The Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 20503.
- Biennial Privacy Act Report. To provide the necessary information for the biennial report of the President,
agencies shall submit a biennial report to OMB, covering their Privacy Act activities for the calendar years covered
by the reporting period. The exact format of the report will be established by OMB. At a minimum, however,
agencies should collect and be prepared to report the following data on a calendar year basis:
(1) A listing of publication activity during the year showing the following:
- Total Number of Systems of Records (Exempt/NonExempt)
- Number of New Systems of Records Added (Exempt/NonExempt)
- Number Routine Uses Added
- Number Exemptions Added to Existing Systems
- Number Exemptions Deleted from Existing Systems
- Total Number of Automated Systems of Records (Exempt/NonExempt)
The agency should provide a brief narrative describing those activities in detail, e.g., "the Department added a (k)(1) exemption to an existing system of records entitled "Investigative Records of the Office of Investigations;" or "the agency added a new routine use to a system of records entitled "Employee Health Records" that would permit disclosure of health data to researchers under contract to the agency to perform workplace risk analysis."
(2) A brief description of any public comments received on agency publication and implementation activities, and agency response.
(3) Number of access and amendment requests from record subjects citing the Privacy Act that were received during the calendar year of the report. Also the disposition of requests from any year that were completed during the calendar year of the report:
- Total Number of Access RequestsNumber Granted in Whole Number Granted in PartNumber Wholly
DeniedNumber For Which No Record Found
- Total Amendment Requests Number Granted in Whole Number Granted in PartNumber Wholly Denied
- Number of Appeals of Denials of Access Number Granted in WholeNumber Granted in Part Number Wholly
Denied Number For Which No Record Found
- Number of Appeals of Denials of Amendment Number Granted in Whole Number Granted in Part Number Wholly Denied
(4) Number of instances in which individuals brought suit under section (g) of the Privacy Act against the agency and the results of any such litigation that resulted in a change to agency practices or affected guidance issued by OMB.
(5) Results of the reviews undertaken in response to paragraph 3a of this Appendix.
(6) Description of agency Privacy Act training activities conducted in accordance with paragraph 3a(6) of this Appendix.
- Total Number of Systems of Records (Exempt/NonExempt)
- Biennial Matching Activity Report (See 5 U.S.C. 552a(u)(3)(D)). At the end of each calendar year, the Data
Integrity Board of each agency that has participated in a matching program will collect data summarizing that year's
matching activity. The Act requires that such activity be reported every two years. OMB will establish the exact
format of the report, but agencies' Data Integrity Boards should be prepared to report the data identified below both
to the agency head and to OMB:
(1) A listing of the names and positions of the members of the Data Integrity Board and showing separately the name of the Board Secretary, his or her agency mailing address, and telephone number. Also show and explain any changes in membership or structure occurring during the reporting year.
(2) A listing of each matching program, by title and purpose, in which the agency participated during the reporting year. This listing should show names of participant agencies, give a brief description of the program, and give a page citation and the date of the Federal Register notice describing the program.
(3) For each matching program, an indication of whether the cost/benefit analysis performed resulted in a favorable ratio. The Data Integrity Board should explain why the agency proceeded with any matching program for which an unfavorable ratio was reached.
(4) For each program for which the Board waived a cost/benefit analysis, the reasons for the waiver and the results of the match, if tabulated.
(5) A description of any matching agreement the Board rejected and an explanation of the rejection.
(6) A listing of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken.
(7) A discussion of any litigation involving the agency's participation in any matching program.
(8) For any litigation based on allegations of inaccurate records, an explanation of the steps the agency used to ensure the integrity of its data as well as the verification process it used in the matching program, including an assessment of the adequacy of each.
- New and Altered System of Records Report. The Act requires agencies to publish notices in the Federal
Register describing new or altered systems of records, and to submit reports to OMB, and to the Chair of the
Committee on Government Reform and Oversight of the House of Representatives, and the Chair of the Committee
on Governmental Affairs of the Senate. The reports must be transmitted at least 40 days prior to the operation of the
new system of records or the date on which the alteration to an existing system takes place.
(1) Which Alterations Require a Report. Minor changes to systems of records need not be reported. For example, a change in the designation of the system manager due to a reorganization would not require a report, so long as an individual's ability to gain access to his or her records is not affected. Other examples include changing applicable safeguards as a result of a risk analysis or deleting a routine use when there is no longer a need for the disclosure. The following changes are those for which a report is required:
(a) A significant increase in the number, type, or category of individuals about whom records are maintained. For example, a system covering physicians that has been expanded to include other types of health care providers, e.g., nurses, technicians, etc., would require a report. Increases attributable to normal growth should not be reported.
(b) A change that expands the types or categories of information maintained. For example, a benefit system which originally included only earned income information that has been expanded to include unearned income information.
(c) A change that alters the purpose for which the information is used.
(d) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report.
(e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for a Privacy Act exemption as part of a report of a new or altered system of records, OMB will also review the rule under applicable regulatory review procedures and agencies need not make a separate submission for that purpose.
(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(2) Reporting Changes to Multiple Systems of Records. When an agency makes a change to an information technology installation or a telecommunication network, or makes any other general changes in information collection, processing, dissemination, or storage that affect multiple systems of records, it may submit a single, consolidated report, with changes to existing notices and supporting documentation included in the submission.
(3) Contents of the New or Altered System Report. The report for a new or altered system has three elements: a transmittal letter, a narrative statement, and supporting documentation.
(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the system of records. The letter should contain the agency's assurance that the proposed system does not duplicate any existing agency or government-wide systems of records. The letter sent to OMB may also include a request for waiver of the time period for the review. The agency should indicate why it cannot meet the established review period and the consequences of not obtaining the waiver. (See paragraph 4e below.) There is no prescribed format for the letter.
(b) Narrative Statement. There is also no prescribed format for the narrative statement, but it should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should:
1. Describe the purpose for which the agency is establishing the system of records.
2. Identify the authority under which the system of records is maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such records as necessary.
3. Provide the agency's evaluation of the probable or potential effect of the proposal on the privacy of individuals.
4. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be made available to OMB upon request.
5. Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains only to any newly proposed routine use.
6. Provide OMB Control Numbers, expiration dates, and titles of any information collection requests (e.g., forms, surveys, etc.) contained in the system of records and approved by OMB under the Paperwork Reduction Act. If the request for OMB clearance of an information collection is pending, the agency may simply state the title of the collection and the date it was submitted for OMB clearance.
(c) Supporting Documentation. Attach the following to all new or altered system of records reports:
1. A copy of the new or altered system of records notice consistent with the provisions of 5 U.S.C. 552a(e)(4). The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook. For proposed altered systems the agency should supply a copy of the original system of records notice to ensure that reviewers can understand the changes proposed. If the sole change to an existing system of records is to add a routine use, the agency should either republish the entire system of records notice, a condensed description of the system of records, or a citation to the last full text Federal Register publication.
2. A copy in Federal Register format of any new exemption rules or changes to published rules (consistent with the provisions of 5 U.S.C. 552a(f),(j), or (k)) that the agency proposes to issue for the new or altered system.
(4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted expeditiously after they are signed.
(5) Timing of Systems of Records Reports. Agencies may publish system of records and routine use notices as well as proposed exemption rules in the Federal Register at the same time that they send the new or altered system report to OMB and Congress. The period for OMB and congressional review and the notice and comment period for routine uses and exemptions will then run concurrently. Note that exemptions must be published as final rules before they are effective.
- New or Altered Matching Program Report. The Act requires agencies to publish notices in the Federal
Register describing new or altered matching programs, and to submit reports to OMB, and to Congress. The report
must be received at least 40 days prior to the initiation of any matching activity carried out under a new or
substantially altered matching program. For renewals of continuing programs, the report must be dated at least 40
days prior to the expiration of any existing matching agreement.
(1) When to Report Altered Matching Programs. Agencies need not report minor changes to matching programs. The term "minor change to a matching program" means a change that does not significantly alter the terms of the agreement under which the program is being carried out. Examples of significant changes include: (a) Changing the purpose for which the program was established.
(b) Changing the matching population, either by including new categories of record subjects or by greatly increasing the numbers of records matched.
(c) Changing the legal authority covering the matching program.
(d) Changing the source or recipient agencies involved in the matching program.
(2) Contents of New or Altered Matching Program Report. The report for a new or altered matching program has three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the proposed Federal Register notice.
(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Privacy Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the matching program. The letter should state that a copy of the matching agreement has been distributed to Congress as the Act requires. The letter to OMB may also include a request for waiver of the review time period. (See 4e below.)
(b) Narrative Statement. There is no prescribed format for the narrative statement, but it should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should provide:
1. A description of the purpose of the matching program and the authority under which it is being carried out.
2. A description of the security safeguards used to protect against any unauthorized access or disclosure of records used in the match.
3. If the cost/benefit analysis required by Section (u)(4)(A) indicated an unfavorable ratio or was waived pursuant to OMB guidance, an explanation of the basis on which the agency justifies conducting the match.
(c) Supporting Documentation. Attach the following:
1. A copy of the Federal Register notice describing the matching program. The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook. (See 5b (3).)
2. For the Congressional report only, a copy of the matching agreement.
(3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed.
(4) Timing of Matching Program Reports. Agencies should ensure that letters are transmitted expeditiously after they are signed. Agencies may publish matching program notices in the Federal Register at the same time that they send the matching program report to OMB and Congress. The period for OMB and congressional review and the notice and comment period will then run concurrently.
- Expedited Review. The Director, OMB, may grant a waiver of the 40-day review period for either systems of records or matching program reviews. The agency must ask for the waiver in the transmittal letter and demonstrate compelling reasons. When a waiver is granted, the agency is not thereby relieved of any other requirement of the Act. If no waiver is granted, agencies may presume concurrence at the expiration of the 40 day review period if OMB has not commented by that time. Note that OMB cannot waive time periods specifically established by the Act such as the 30 days notice and comment period required for the adoption of a routine use proposal pursuant to Section (b)(3) of the Act.
5. Publication Requirements. The Privacy Act requires agencies to publish notices or rules in the Federal Register in the following circumstances: when adopting a new or altered system of records, when adopting a routine use, when adopting an exemption for a system of records, or when proposing to carry out a new or altered matching program. (See paragraph 4c(1) and 4d(1) above on what constitutes an alteration requiring a report to OMB and the Congress.)
- Publishing New or Altered Systems of Records Notices and Exemption Rules.
(1) Who Publishes. The agency responsible for operating the system of records makes the necessary publication. Publication should be carried out at the departmental or agency level. Even where a system of records is to be operated exclusively by a component, the department rather than the component should publish the notice. Thus, for example, the Department of the Treasury would publish a system of records notice covering a system operated exclusively by the Internal Revenue Service. Note that if the agency is proposing to exempt the system under Section (j) or (k) of the Act, it must publish a rule in addition to the system of records notice.
(a) Government-wide Systems of Records. Certain agencies publish systems of records containing records for which they have government-wide responsibilities. The records may be located in other agencies, but they are being used under the authority of and in conformance with the rules mandated by the publishing agency. The Office of Personnel Management, for example, has published a number of government-wide systems of records relating to the operation of the government's personnel program. Agencies should not publish systems of records that wholly or partly duplicate existing government-wide systems of records.(2) When to Publish.
(b) Section (m) Contract Provisions. When an agency provides by contract for the operation of a system of records, it should ensure that a system of records notice describing the system has been published. It should also review the notice to ensure that it contains a routine use under Section (e)(4)(D) of the Act permitting disclosure to the contractor and his or her personnel.
(a) System Notice. The system of records notice must appear in the Federal Register before the agency begins to operate the system, e.g., collect and use the information.
(b) Routine Use. A routine use must be published in the Federal Register 30 days before the agency discloses records pursuant to its terms. (Note that the addition of a routine use to an existing system of records requires a report to OMB and Congress, and that the review period for this report is 40 days.)
(c) Exemption Rule. A rule exempting a system of records under (j) or (k) or the Act must be established through informal rulemaking pursuant to the Administrative Procedure Act. This process generally requires publication of a proposed rule, a period during which the public may comment, publication of a final rule, and the adoption of the final rule. Agencies may not withhold records under an exemption until these requirements have been met.
(3) Format. Agencies should follow the publication format contained in the Office of the Federal Register's Document Drafting Handbook which may be obtained from the Government Printing Office.
- Publishing Matching Notices.
(1) Who Publishes. Generally, the recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is responsible for publishing in the Federal Register a notice describing the new or altered matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches, and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source agency do so for its own matching program(s).
(2) Timing. Publication must occur at least 30 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of programs agencies wish to continue past the 30 month period of initial eligibility (i.e., the initial 18 months plus a one year extension), publication must occur at least 30 days prior to the expiration of the existing matching agreement. (But note that a report to OMB and the Congress is also required with a 40 day review period).
(3) Format. The matching notice shall be in the format prescribed by the Office of the Federal Register's Document Drafting Handbook and contain the following information:
(a) The name of the Recipient Agency.(b) The Name(s) of the Source Agencies.(c) The beginning and ending dates of the match.(d) A brief description of the matching program, including its purpose; the legal authorities authorizing its operation; categories of individuals involved; and identification of records used, including name(s) of Privacy Act Systems of records.(e) The identification, address, and telephone number of a Recipient Agency official who will answer public inquiries about the program.