Appendix I to OMB Circular No. A-130
Federal Agency Responsibilities for Maintaining Records About Individuals
1. Purpose and Scope.
This Appendix describes agency responsibilities for implementing the reporting and publication requirements of the
Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. Note
that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions,
e.g., Privacy Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting Matching Programs (54
FR at 25819, June 19, 1989).
- The terms "agency," "individual," "maintain," "matching program," "record," "system of records," and "routine
use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a(a)).
- Matching Agency. Generally, the Recipient Federal agency (or the Federal
source agency in a match conducted by a nonfederal agency) is the matching
agency and is responsible for meeting the reporting and publication requirements
associated with the matching program. However, in large, multi-agency matching
programs, where the recipient agency is merely performing the matches and the
benefit accrues to the source agencies, the partners should assign responsibility
for compliance with the administrative requirements in a fair and reasonable
way. This may mean having the matching agency carry out these requirements
for all parties, having one participant designated to do so, or having each
source agency do so for its own matching program(s).
- Nonfederal Agency. Nonfederal agencies are State or local governmental agencies
receiving or providing records in a matching program with a Federal agency.
- Recipient Agency. Recipient agencies are Federal agencies or their contractors
receiving automated records from the Privacy Act systems of records of other
Federal agencies, or from State or local governments, to be used in a matching
program as defined in the Act.
- Source Agency. A source agency is a Federal agency that discloses automated
records from a system of records to another Federal agency or to a State or
local agency to be used in a matching program. It is also a State or local
agency that discloses records to a Federal agency for use in a matching program.
3. Assignment of Responsibilities.
- All Federal Agencies. In addition to meeting the agency requirements contained
in the Act and the specific reporting and publication requirements detailed
in this Appendix, the head of each agency shall ensure that the following reviews
are conducted as often as specified below, and be prepared to report to the
Director, OMB, the results of such reviews and the corrective action taken
to resolve problems uncovered. The head of each agency shall:
(1) Section (m) Contracts. Review every two years a random sample of agency contracts that provide for the
maintenance of a system of records on behalf of the agency to accomplish an agency function, in order to ensure
that the wording of each contract makes the provisions of the Act binding on the contractor and his or her
employees. (See 5 U.S.C. 552a(m)(1))
(2) Recordkeeping Practices. Review biennially agency recordkeeping and disposal policies and practices in order to
assure compliance with the Act, paying particular attention to the maintenance of automated records.
(3) Routine Use Disclosures. Review every four years the routine use disclosures associated with each system of
records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for
which the disclosing agency collected the information.
(4) Exemption of Systems of Records. Review every four years each system of records for which the agency has
promulgated exemption rules pursuant to Section (j) or (k) of the Act in order to determine whether such exemption
is still needed.
(5) Matching Programs. Review annually each ongoing matching program in which the agency has participated
during the year in order to ensure that the requirements of the Act, the OMB guidance, and any agency regulations,
operating instructions, or guidelines have been met.
(6) Privacy Act Training. Review biennially agency training practices in order to ensure that all agency personnel
are familiar with the requirements of the Act, with the agency's implementing regulation, and with any special
requirements of their specific jobs.
(7) Violations. Review biennially the actions of agency personnel that have resulted either in the agency being
found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions
of Section (i) of the Act, in order to determine the extent of the problem, and to find the most effective way to
prevent recurrence of the problem.
(8) Systems of Records Notices. Review biennially each system of records notice to ensure that it accurately
describes the system of records. Where minor changes are needed, e.g., the name of the system manager, ensure that
an amended notice is published in the Federal Register. Agencies may choose to make one annual comprehensive
publication consolidating such minor changes. This requirement is distinguished from and in addition to the
requirement to report to OMB and Congress significant changes to systems of records and to publish those changes
in the Federal Register (See paragraph 4c of this Appendix).
- Department of Commerce. The Secretary of Commerce shall, consistent with
guidelines issued by the Director, OMB, develop and issue standards and guidelines
for ensuring the security of information protected by the Act in automated
- The Department of Defense, General Services Administration, and National
Aeronautics and Space Administration. These agencies shall, consistent with
guidelines issued by the Director, OMB, ensure that instructions are issued
on what agencies must do in order to comply with the requirements of Section
(m) of the Act when contracting for the operation of a system of records to
accomplish an agency purpose.
- Office of Personnel Management. The Director of the Office of Personnel Management
shall, consistent with guidelines issued by the Director, OMB:
(1) Develop and maintain government-wide standards and procedures for civilian personnel information processing
and recordkeeping directives to assure conformance with the Act.
(2) Develop and conduct Privacy Act training programs for agency personnel, including both the conduct of courses
in various substantive areas (e.g., administrative, information technology) and the development of materials that
agencies can use in their own courses. The assignment of this responsibility to OPM does not affect the
responsibility of individual agency heads for developing and conducting training programs tailored to the specific
needs of their own personnel.
- National Archives and Records Administration. The Archivist of the United
States through the Office of the Federal Register, shall, consistent with guidelines
issued by the Director, OMB:
(1) Issue instructions on the format of the agency notices and rules required to be published under the Act.
(2) Compile and publish every two years, the rules promulgated under 5 U.S.C. 552a(f) and agency notices
published under 5 U.S.C. 552a(e)(4) in a form available to the public at low cost.
(3) Issue procedures governing the transfer of records to Federal Records Centers for storage, processing, and
servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are considered to be maintained by the
agency that deposited them. The Archivist may disclose deposited records only according to the access rules
established by the agency that deposited them.
- Office of Management and Budget. The Director of the Office of Management
and Budget will:
(1) Issue guidelines and directives to the agencies to implement the Act.
(2) Assist the agencies, at their request, in implementing their Privacy Act programs.
3) Review new and altered system of records and matching program reports submitted pursuant to Section (o) of
(4) Compile the biennial report of the President to Congress in accordance with Section(s) of the Act.
(5) Compile and issue a biennial report on the agencies' implementation of the computer matching provisions of the
Privacy Act, pursuant to Section (u)(6) of the Act.
4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds of reports:
Report When Due Recipient**
Biennial Privacy Act Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
Biennial Matching Activity Report June 30, 1996, 1998, 2000, 2002Administrator, OIRA
New System of Records Report When establishing a system of records - at least 40 days before operating the
system * Administrator, OIRA, Congress
Altered System of Records Report When adding a new routine use, exemption, or otherwise significantly altering an
existing system of records - at least 40 days before change to system takes place * Administrator, OIRA, Congress
New Matching Program Report When establishing a new matching program - at least 40 days before operating the
program * Administrator, OIRA, Congress
Renewal of Existing Matching Program At least 40 days prior to expiration of any one year extension of the original
program - treat as a new program Administrator, OIRA, Congress
Altered Matching Program When making a significant change to an existing matching program - at least 40 days
before operating an altered program * Administrator, OIRA, Congress
Matching Agreements At least 40 days prior to the start of a matching program * Congress
* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional ten days will ensure
that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure that reports
are mailed expeditiously after being signed.
** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"
House of Representatives: The Chair of the House Committee on Government Reform and Oversight, 2157 RHOB,
Washington, D.C. 20515-6143.
Senate: The Chair of the Senate Committee on Governmental Affairs, 340 SDOB, Washington, D.C. 20510-6250.
Office of Management and Budget: The Administrator of the Office of Information and Regulatory Affairs, Office
of Management and Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 20503.
- Biennial Privacy Act Report. To provide the necessary information for the biennial report of the President,
agencies shall submit a biennial report to OMB, covering their Privacy Act activities for the calendar years covered
by the reporting period. The exact format of the report will be established by OMB. At a minimum, however,
agencies should collect and be prepared to report the following data on a calendar year basis:
(1) A listing of publication activity during the year showing the following:
- Total Number of Systems of Records (Exempt/NonExempt)
- Number of New Systems of Records Added (Exempt/NonExempt)
- Number Routine Uses Added
- Number Exemptions Added to Existing Systems
- Number Exemptions Deleted from Existing Systems
- Total Number of Automated Systems of Records (Exempt/NonExempt)
The agency should provide a brief narrative describing those activities in detail, e.g., "the Department added a (k)(1)
exemption to an existing system of records entitled "Investigative Records of the Office of Investigations;" or "the
agency added a new routine use to a system of records entitled "Employee Health Records" that would permit
disclosure of health data to researchers under contract to the agency to perform workplace risk analysis."
(2) A brief description of any public comments received on agency publication and implementation activities, and
(3) Number of access and amendment requests from record subjects citing the Privacy Act that were received during
the calendar year of the report. Also the disposition of requests from any year that were completed during the
calendar year of the report:
- Total Number of Access RequestsNumber Granted in Whole Number Granted in PartNumber Wholly
DeniedNumber For Which No Record Found
- Total Amendment Requests Number Granted in Whole Number Granted in PartNumber Wholly Denied
- Number of Appeals of Denials of Access Number Granted in WholeNumber Granted in Part Number Wholly
Denied Number For Which No Record Found
- Number of Appeals of Denials of Amendment Number Granted in Whole Number Granted in Part Number Wholly
(4) Number of instances in which individuals brought suit under section (g) of the Privacy Act against the agency
and the results of any such litigation that resulted in a change to agency practices or affected guidance issued by
(5) Results of the reviews undertaken in response to paragraph 3a of this Appendix.
(6) Description of agency Privacy Act training activities conducted in accordance with paragraph 3a(6) of this
- Biennial Matching Activity Report (See 5 U.S.C. 552a(u)(3)(D)). At the end of each calendar year, the Data
Integrity Board of each agency that has participated in a matching program will collect data summarizing that year's
matching activity. The Act requires that such activity be reported every two years. OMB will establish the exact
format of the report, but agencies' Data Integrity Boards should be prepared to report the data identified below both
to the agency head and to OMB:
(1) A listing of the names and positions of the members of the Data Integrity Board and showing separately the
name of the Board Secretary, his or her agency mailing address, and telephone number. Also show and explain any
changes in membership or structure occurring during the reporting year.
(2) A listing of each matching program, by title and purpose, in which the agency participated during the reporting
year. This listing should show names of participant agencies, give a brief description of the program, and give a
page citation and the date of the Federal Register notice describing the program.
(3) For each matching program, an indication of whether the cost/benefit analysis performed resulted in a favorable
ratio. The Data Integrity Board should explain why the agency proceeded with any matching program for which an
unfavorable ratio was reached.
(4) For each program for which the Board waived a cost/benefit analysis, the reasons for the waiver and the results
of the match, if tabulated.
(5) A description of any matching agreement the Board rejected and an explanation of the rejection.
(6) A listing of any violations of matching agreements that have been alleged or identified, and a discussion of any
(7) A discussion of any litigation involving the agency's participation in any matching program.
(8) For any litigation based on allegations of inaccurate records, an explanation of the steps the agency used to
ensure the integrity of its data as well as the verification process it used in the matching program, including an
assessment of the adequacy of each.
- New and Altered System of Records Report. The Act requires agencies to publish notices in the Federal
Register describing new or altered systems of records, and to submit reports to OMB, and to the Chair of the
Committee on Government Reform and Oversight of the House of Representatives, and the Chair of the Committee
on Governmental Affairs of the Senate. The reports must be transmitted at least 40 days prior to the operation of the
new system of records or the date on which the alteration to an existing system takes place.
(1) Which Alterations Require a Report. Minor changes to systems of records need not be reported. For example, a
change in the designation of the system manager due to a reorganization would not require a report, so long as an
individual's ability to gain access to his or her records is not affected. Other examples include changing applicable
safeguards as a result of a risk analysis or deleting a routine use when there is no longer a need for the disclosure.
The following changes are those for which a report is required:
(a) A significant increase in the number, type, or category of individuals about whom records are maintained. For
example, a system covering physicians that has been expanded to include other types of health care providers, e.g.,
nurses, technicians, etc., would require a report. Increases attributable to normal growth should not be reported.
(b) A change that expands the types or categories of information maintained. For example, a benefit system which
originally included only earned income information that has been expanded to include unearned income
(c) A change that alters the purpose for which the information is used.
(d) A change to equipment configuration (either hardware or software) that creates substantially greater access to
the records in the system of records. For example, locating interactive terminals at regional offices for accessing a
system formerly accessible only at the headquarters would require a report.
(e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for
a Privacy Act exemption as part of a report of a new or altered system of records, OMB will also review the rule
under applicable regulatory review procedures and agencies need not make a separate submission for that purpose.
(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(2) Reporting Changes to Multiple Systems of Records. When an agency makes a change to an information
technology installation or a telecommunication network, or makes any other general changes in information
collection, processing, dissemination, or storage that affect multiple systems of records, it may submit a single,
consolidated report, with changes to existing notices and supporting documentation included in the submission.(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for
implementation of the Act within the agency and should contain the name and telephone number of the individual
who can best answer questions about the system of records. The letter should contain the agency's assurance that the
proposed system does not duplicate any existing agency or government-wide systems of records. The letter sent to
OMB may also include a request for waiver of the time period for the review. The agency should indicate why it
cannot meet the established review period and the consequences of not obtaining the waiver. (See paragraph 4e
below.) There is no prescribed format for the letter.
(3) Contents of the New or Altered System Report. The report for a new or altered system has three elements: a
transmittal letter, a narrative statement, and supporting documentation.
(b) Narrative Statement. There is also no prescribed format for the narrative statement, but it should be brief. It
should make reference, as appropriate, to information in the supporting documentation rather than restating such
information. The statement should:
1. Describe the purpose for which the agency is establishing the system of records.
2. Identify the authority under which the system of records is maintained. The agency should avoid citing
housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using
the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool
locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such
records as necessary.
3. Provide the agency's evaluation of the probable or potential effect of the proposal on the privacy of individuals.
4. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the
system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and
physical safeguards established shall be made available to OMB upon request.
5. Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For
altered systems, this requirement pertains only to any newly proposed routine use.
6. Provide OMB Control Numbers, expiration dates, and titles of any information collection requests (e.g., forms,
surveys, etc.) contained in the system of records and approved by OMB under the Paperwork Reduction Act. If the
request for OMB clearance of an information collection is pending, the agency may simply state the title of the
collection and the date it was submitted for OMB clearance.
(c) Supporting Documentation. Attach the following to all new or altered system of records reports:1. A copy of the new or altered system of records notice consistent with the provisions of 5 U.S.C. 552a(e)(4). The
notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook.
For proposed altered systems the agency should supply a copy of the original system of records notice to ensure that
reviewers can understand the changes proposed. If the sole change to an existing system of records is to add a
routine use, the agency should either republish the entire system of records notice, a condensed description of the
system of records, or a citation to the last full text Federal Register publication.
2. A copy in Federal Register format of any new exemption rules or changes to published rules (consistent with the
provisions of 5 U.S.C. 552a(f),(j), or (k)) that the agency proposes to issue for the new or altered system.
(4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies
may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40
days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted
expeditiously after they are signed.
(5) Timing of Systems of Records Reports. Agencies may publish system of records and routine use notices as well
as proposed exemption rules in the Federal Register at the same time that they send the new or altered system report
to OMB and Congress. The period for OMB and congressional review and the notice and comment period for
routine uses and exemptions will then run concurrently. Note that exemptions must be published as final rules
before they are effective.
- New or Altered Matching Program Report. The Act requires agencies to publish notices in the Federal
Register describing new or altered matching programs, and to submit reports to OMB, and to Congress. The report
must be received at least 40 days prior to the initiation of any matching activity carried out under a new or
substantially altered matching program. For renewals of continuing programs, the report must be dated at least 40
days prior to the expiration of any existing matching agreement.
(1) When to Report Altered Matching Programs. Agencies need not report minor changes to matching programs.
The term "minor change to a matching program" means a change that does not significantly alter the terms of the
agreement under which the program is being carried out. Examples of significant changes include:
(a) Changing the purpose for which the program was established.
(b) Changing the matching population, either by including new categories of record subjects or by greatly increasing
the numbers of records matched.
(c) Changing the legal authority covering the matching program.
(d) Changing the source or recipient agencies involved in the matching program.
(2) Contents of New or Altered Matching Program Report. The report for a new or altered matching program has
three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the
proposed Federal Register notice.(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for
implementation of the Privacy Act within the agency and should contain the name and telephone number of the
individual who can best answer questions about the matching program. The letter should state that a copy of the
matching agreement has been distributed to Congress as the Act requires. The letter to OMB may also include a
request for waiver of the review time period. (See 4e below.)
(b) Narrative Statement. There is no prescribed format for the narrative statement, but it should be brief. It should
make reference, as appropriate, to information in the supporting documentation rather than restating such
information. The statement should provide:
1. A description of the purpose of the matching program and the authority under which it is being carried out.
2. A description of the security safeguards used to protect against any unauthorized access or disclosure of records
used in the match.
3. If the cost/benefit analysis required by Section (u)(4)(A) indicated an unfavorable ratio or was waived pursuant to
OMB guidance, an explanation of the basis on which the agency justifies conducting the match.
(c) Supporting Documentation. Attach the following:
1. A copy of the Federal Register notice describing the matching program. The notice must appear in the format
prescribed by the Office of the Federal Register's Document Drafting Handbook. (See 5b (3).)
2. For the Congressional report only, a copy of the matching agreement.
(3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies
may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40
days from the date the transmittal letter was signed.
(4) Timing of Matching Program Reports. Agencies should ensure that letters are transmitted expeditiously after
they are signed. Agencies may publish matching program notices in the Federal Register at the same time that they
send the matching program report to OMB and Congress. The period for OMB and congressional review and the
notice and comment period will then run concurrently.
- Expedited Review. The Director, OMB, may grant a waiver
of the 40-day review period for either systems of records or matching program
reviews. The agency must ask for the waiver in the transmittal letter and demonstrate
compelling reasons. When a waiver is granted, the agency is not thereby relieved
of any other requirement of the Act. If no waiver is granted, agencies may
presume concurrence at the expiration of the 40 day review period if OMB has
not commented by that time. Note that OMB cannot waive time periods specifically
established by the Act such as the 30 days notice and comment period required
for the adoption of a routine use proposal pursuant to Section (b)(3) of the
5. Publication Requirements. The Privacy Act requires agencies to publish notices or rules in the Federal Register in the following
circumstances: when adopting a new or altered system of records, when adopting a routine use, when adopting an
exemption for a system of records, or when proposing to carry out a new or altered matching program. (See paragraph 4c(1)
and 4d(1) above on what constitutes an alteration requiring a report to OMB and the Congress.)
- Publishing New or Altered Systems of Records Notices and Exemption Rules.
(1) Who Publishes. The agency responsible for operating the system of records makes the necessary publication.
Publication should be carried out at the departmental or agency level. Even where a system of records is to be
operated exclusively by a component, the department rather than the component should publish the notice. Thus, for
example, the Department of the Treasury would publish a system of records notice covering a system operated
exclusively by the Internal Revenue Service. Note that if the agency is proposing to exempt the system under
Section (j) or (k) of the Act, it must publish a rule in addition to the system of records notice.
(a) Government-wide Systems of Records. Certain agencies publish systems of records containing records for which
they have government-wide responsibilities. The records may be located in other agencies, but they are being used
under the authority of and in conformance with the rules mandated by the publishing agency. The Office of
Personnel Management, for example, has published a number of government-wide systems of records relating to the
operation of the government's personnel program. Agencies should not publish systems of records that wholly or
partly duplicate existing government-wide systems of records.
(b) Section (m) Contract Provisions. When an agency provides by contract for the operation of a system of records,
it should ensure that a system of records notice describing the system has been published. It should also review the
notice to ensure that it contains a routine use under Section (e)(4)(D) of the Act permitting disclosure to the
contractor and his or her personnel.
(2) When to Publish.
(a) System Notice. The system of records notice must appear in the Federal Register before the agency begins to
operate the system, e.g., collect and use the information.
(b) Routine Use. A routine use must be published in the Federal Register 30 days before the agency discloses
records pursuant to its terms. (Note that the addition of a routine use to an existing system of records requires a
report to OMB and Congress, and that the review period for this report is 40 days.)
(c) Exemption Rule. A rule exempting a system of records under (j) or (k) or the Act must be established through
informal rulemaking pursuant to the Administrative Procedure Act. This process generally requires publication of a
proposed rule, a period during which the public may comment, publication of a final rule, and the adoption of the
final rule. Agencies may not withhold records under an exemption until these requirements have been met.
(3) Format. Agencies should follow the publication format contained in the Office of the Federal Register's
Document Drafting Handbook which may be obtained from the Government Printing Office.
- Publishing Matching Notices.
(1) Who Publishes. Generally, the recipient Federal agency (or the Federal source agency in a match conducted by a
nonfederal agency) is responsible for publishing in the Federal Register a notice describing the new or altered
matching program. However, in large, multi-agency matching programs, where the recipient agency is merely
performing the matches, and the benefit accrues to the source agencies, the partners should assign responsibility for
compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching
agency carry out these requirements for all parties, having one participant designated to do so, or having each source
agency do so for its own matching program(s).
(2) Timing. Publication must occur at least 30 days prior to the initiation of any matching activity carried out under
a new or substantially altered matching program. For renewals of programs agencies wish to continue past the 30
month period of initial eligibility (i.e., the initial 18 months plus a one year extension), publication must occur at
least 30 days prior to the expiration of the existing matching agreement. (But note that a report to OMB and the
Congress is also required with a 40 day review period).
(3) Format. The matching notice shall be in the format prescribed by the Office of the Federal Register's Document
Drafting Handbook and contain the following information:(a) The name of the Recipient Agency.(b) The Name(s) of the Source Agencies.(c) The beginning and ending dates
of the match.(d) A brief description of the matching program, including its purpose; the legal authorities authorizing
its operation; categories of individuals involved; and identification of records used, including name(s) of Privacy
Act Systems of records.(e) The identification, address, and telephone number of a Recipient Agency official who
will answer public inquiries about the program.
Return to Top
Return to A-130