1. Purpose and Scope.
This Appendix describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. Note that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting Matching Programs (54 FR at 25819, June 19, 1989).
2. Definitions.
3. Assignment of Responsibilities.
4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds of reports:
Biennial Privacy Act Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
Biennial Matching Activity Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
New System of Records Report When establishing a system of records - at least 40 days before operating the system * Administrator, OIRA, Congress
Altered System of Records Report When adding a new routine use, exemption, or otherwise significantly altering an existing system of records - at least 40 days before change to system takes place * Administrator, OIRA, Congress
New Matching Program Report When establishing a new matching program - at least 40 days before operating the program * Administrator, OIRA, Congress
Renewal of Existing Matching Program At least 40 days prior to expiration of any one year extension of the original program - treat as a new program Administrator, OIRA, Congress
Altered Matching Program When making a significant change to an existing matching program - at least 40 days before operating an altered program * Administrator, OIRA, Congress
Matching Agreements At least 40 days prior to the start of a matching program * Congress
* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional ten days will ensure that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure that reports are mailed expeditiously after being signed.
** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"
House of Representatives: The Chair of the House Committee on Government Reform and Oversight, 2157 RHOB, Washington, D.C. 20515-6143.
Senate: The Chair of the Senate Committee on Governmental Affairs, 340 SDOB, Washington, D.C. 20510-6250.
Office of Management and Budget: The Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 20503.
The agency should provide a brief narrative describing those activities in detail, e.g., "the Department added a (k)(1) exemption to an existing system of records entitled "Investigative Records of the Office of Investigations;" or "the agency added a new routine use to a system of records entitled "Employee Health Records" that would permit disclosure of health data to researchers under contract to the agency to perform workplace risk analysis."
(2) A brief description of any public comments received on agency publication and implementation activities, and agency response.
(3) Number of access and amendment requests from record subjects citing the Privacy Act that were received during the calendar year of the report. Also the disposition of requests from any year that were completed during the calendar year of the report:
(4) Number of instances in which individuals brought suit under section (g) of the Privacy Act against the agency and the results of any such litigation that resulted in a change to agency practices or affected guidance issued by OMB.
(5) Results of the reviews undertaken in response to paragraph 3a of this Appendix.
(6) Description of agency Privacy Act training activities conducted in accordance with paragraph 3a(6) of this Appendix.
(2) A listing of each matching program, by title and purpose, in which the agency participated during the reporting year. This listing should show names of participant agencies, give a brief description of the program, and give a page citation and the date of the Federal Register notice describing the program.
(3) For each matching program, an indication of whether the cost/benefit analysis performed resulted in a favorable ratio. The Data Integrity Board should explain why the agency proceeded with any matching program for which an unfavorable ratio was reached.
(4) For each program for which the Board waived a cost/benefit analysis, the reasons for the waiver and the results of the match, if tabulated.
(5) A description of any matching agreement the Board rejected and an explanation of the rejection.
(6) A listing of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken.
(7) A discussion of any litigation involving the agency's participation in any matching program.
(8) For any litigation based on allegations of inaccurate records, an explanation of the steps the agency used to ensure the integrity of its data as well as the verification process it used in the matching program, including an assessment of the adequacy of each.
(b) A change that expands the types or categories of information maintained. For example, a benefit system which originally included only earned income information that has been expanded to include unearned income information.
(c) A change that alters the purpose for which the information is used.
(d) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report.
(e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for a Privacy Act exemption as part of a report of a new or altered system of records, OMB will also review the rule under applicable regulatory review procedures and agencies need not make a separate submission for that purpose.
(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(2) Reporting Changes to Multiple Systems of Records. When an agency makes a change to an information
technology installation or a telecommunication network, or makes any other general changes in information
collection, processing, dissemination, or storage that affect multiple systems of records, it may submit a single,
consolidated report, with changes to existing notices and supporting documentation included in the submission.
(3) Contents of the New or Altered System Report. The report for a new or altered system has three elements: a
transmittal letter, a narrative statement, and supporting documentation.
2. Identify the authority under which the system of records is maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such records as necessary.
3. Provide the agency's evaluation of the probable or potential effect of the proposal on the privacy of individuals.
4. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be made available to OMB upon request.
5. Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains only to any newly proposed routine use.
6. Provide OMB Control Numbers, expiration dates, and titles of any information collection requests (e.g., forms, surveys, etc.) contained in the system of records and approved by OMB under the Paperwork Reduction Act. If the request for OMB clearance of an information collection is pending, the agency may simply state the title of the collection and the date it was submitted for OMB clearance.
(c) Supporting Documentation. Attach the following to all new or altered system of records reports:
(4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted expeditiously after they are signed.
(5) Timing of Systems of Records Reports. Agencies may publish system of records and routine use notices as well as proposed exemption rules in the Federal Register at the same time that they send the new or altered system report to OMB and Congress. The period for OMB and congressional review and the notice and comment period for routine uses and exemptions will then run concurrently. Note that exemptions must be published as final rules before they are effective.
(b) Changing the matching population, either by including new categories of record subjects or by greatly increasing the numbers of records matched.
(c) Changing the legal authority covering the matching program.
(d) Changing the source or recipient agencies involved in the matching program.
(2) Contents of New or Altered Matching Program Report. The report for a new or altered matching program has
three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the
proposed Federal Register notice.
2. A description of the security safeguards used to protect against any unauthorized access or disclosure of records used in the match.
3. If the cost/benefit analysis required by Section (u)(4)(A) indicated an unfavorable ratio or was waived pursuant to OMB guidance, an explanation of the basis on which the agency justifies conducting the match.
(c) Supporting Documentation. Attach the following:
2. For the Congressional report only, a copy of the matching agreement.
(3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed.
(4) Timing of Matching Program Reports. Agencies should ensure that letters are transmitted expeditiously after they are signed. Agencies may publish matching program notices in the Federal Register at the same time that they send the matching program report to OMB and Congress. The period for OMB and congressional review and the notice and comment period will then run concurrently.
5. Publication Requirements. The Privacy Act requires agencies to publish notices or rules in the Federal Register in the following circumstances: when adopting a new or altered system of records, when adopting a routine use, when adopting an exemption for a system of records, or when proposing to carry out a new or altered matching program. (See paragraph 4c(1) and 4d(1) above on what constitutes an alteration requiring a report to OMB and the Congress.)
(3) Format. Agencies should follow the publication format contained in the Office of the Federal Register's Document Drafting Handbook which may be obtained from the Government Printing Office.
(2) Timing. Publication must occur at least 30 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of programs agencies wish to continue past the 30 month period of initial eligibility (i.e., the initial 18 months plus a one year extension), publication must occur at least 30 days prior to the expiration of the existing matching agreement. (But note that a report to OMB and the Congress is also required with a 40 day review period).
(3) Format. The matching notice shall be in the format prescribed by the Office of the Federal Register's Document
Drafting Handbook and contain the following information: