HUD Privacy Act Handbook
Directive Number: 1325.1
U.S. Department of Housing and Urban Development
Office of Administration
1325.01 REV-1
TABLE OF CONTENTS
Paragraph Page
CHAPTER 1. INTRODUCTION TO THE HANDBOOK
1-1 Purpose 1-1
1-2 Records Subject to the Privacy Act 1-1
1-3 HUD Employees and the Privacy Act 1-1
1-4 Citations and References 1-4
1-5 Definitions 1-5
CHAPTER 2. INTRODUCTION TO THE PRIVACY ACT
2-1 Necessity 2-1
2-2 Purpose 2-1
2-3 Departmental Policy 2-2
2-4 Your Responsibilities 2-4
2-5 Criminal Penalties 2-5
CHAPTER 3. PROCEDURES FOR PROCESSING AND MONITORING REQUESTS
FOR RECORDS SUBJECT TO THE PRIVACY ACT
3-1 Introduction 3-1
3-2 Personnel involved in Privacy Act 3-1
3-3 Relationship between the Privacy Act and the
Freedom of Information Act 3-1
3-4 Choosing the Appropriate Act 3-2
3-5 Exemptions from the Privacy Act 3-2
3-6 Conditions of Disclosure 3-3
3-7 Accounting for Certain Disclosures 3-5
3-8 Inquiries concerning Systems of Records 3-5
3-9 Individual requests for Access to Information
maintained in Systems of Records 3-7
3-10 Verification of Identity 3-8
3-11 Disclosure of Requested Information to
Individuals 3-10
3-12 Initial Denial of Access to Records 3-11
3-13 Appeal of Initial Denial of Access to Records 3-12
3-14 Request for Correction or Amendment to a Record 3-12
3-15 Criteria for Considering a Request for Correction
1
or Amendment 3-14
3-16 Initial Denial to Correct or Amend a Record 3-15
3-17 Appeal from Initial Denial to Correct or Amend a
Record 3-16
3-18 Reproduction Fees 3-16
CHAPTER 4. ESTABLISHING AND MANAGING PRIVACY ACT
SYSTEMS OF RECORDS
4-1 Introduction 4-1
4-2 Responsibilities of -the System Manager 4-1
4-3 Situations Requiring a Report and Federal
Register Notice 4-2
4-4 Contents of the New or Altered System Report 4-4
4-5 Timing, OMB Concurrence, and Publication of the
Federal Register Notice 4-5
CHAPTER 5. COMPUTER MATCHING PROGRAMS
5-1 General 5-1
5-2 Definitions 5-1
5-3 The Data Integrity Board 5-4
5-4 Conducting Matching Programs 5-5
5-5 Due Process for Matching Subjects 5-8
CHAPTER 6. APPLICATION OF THE PRIVACY ACT TO OTHER RELATED
FUNCTIONS
6-1 Introduction 6-1
6-2 Automated Data Reporting Systems 6-1
6-3 ADP Security 6-2
6-4 Procurement of Computer Equipment and Systems 6-3
6-5 Procurement and Contracts 6-3
6-6 Forms and Reports Management 6-4
6-7 The Privacy Conscience of the Department 6-4
CHAPTER 7. REPORTING REQUIREMENTS
7-1 Introduction 7-1
7-2 Examples of Privacy Act Reviews 7-1
7-3 Privacy Act Reports 7-2
Appendices
A. Privacy Act Case Log
B. Privacy Act Officers' Locations
C. Privacy Act of 1974 (as amended)
D. Appeal Procedures
E. Responsibilities of Privacy Act Systems Managers
2
F. Computer Matching Programs Timetable
G. Guidelines for Establishing Safeguards for Records Subject to the
Privacy Act
H. Guide to the Privacy Act of 1974 and the Departmental Privacy Act
Regulations
I. Privacy Act Systems of Records
LIST OF EXHIBITS
Exhibit Number Page
3-1 Sample Letter to Inform Individual of a Request for
Access to his Personal information 3-18
3-2 Sample Form to Obtain Consent to Disclose Personal
Information 3-19
3-3 Sample form for recording accounting disclosures 3-20
3-4 Sample Privacy Act Request Letter 3-21
3-5 Sample Letter Informing Requester of Transfer of
Privacy Act Request to Appropriate HUD Office 3-22
3-6 Sample Letter used to obtain additional information 3-23
3-7 Sample Record Search Information Log 3-24
3-8 Sample Letter for Privacy Act Processing over
10 days 3-25
3-9 Sample Letter to Inform Requester of Departmental
Action 3-26
3-10 Sample Statement of Identity 3-28
3-11 Sample Requester's Authorization for an Accompanying
Individual 3-29
4-1 Sample of a New System of Records Notice 4-9
4-2 Sample of an Altered or Amended System of Records
Notice 4-14
CHAPTER 1. INTRODUCTION TO THE HANDBOOK
1-1 PURPOSE. This Handbook has two main goals.
A. To provide every employee of the Department with information
on their rights and responsibilities under the Privacy Act.
B. To establish policies, procedures, requirements and guidelines
for the implementation of the Department's Privacy Act
responsibilities.
1-2 RECORDS SUBJECT TO THE PRIVACY ACT (PRIVACY ACT RECORDS). A group
of records is subject to the Privacy Act if it satisfies all three
of the following criteria:
A. Contains an item, collection, or grouping of information about
an individual.
B. Contains name, or identifying number, symbol, or other
identifying particular assigned to the individual such as a
finger or voice print.
3
C. Consists of a group of any records under the control of any
agency from which information is retrieved by the name of the
individual or by some identifying number, symbol, or other
identifying particular assigned to the individual.
1-3 HUD EMPLOYEES AND THE PRIVACY ACT. The Privacy Act imposes
requirements on staff members performing in different roles. Each
of the roles carries with it special activities with regard to
safeguarding the rights of others and carrying out the
responsibilities of the Department. The roles are highlighted
below:
A. Every employee must safeguard the privacy of every other
person, both employee and citizen-client of the Department.
This can be accomplished in three ways:
1. Do not let anyone have access to records under your
control which contain personal information unless it is:
in the performance of official duties (including "routine
use" transfers of data); required under the Freedom of
Information Act; by direction of a Privacy Act Officer;
by direction of the Privacy Appeals Officer (following an
appeal of a denial);
or under one of the other conditions of disclosure listed
in paragraph 3-5 of this handbook.
2. Purge your files of personal data on individuals as soon
as the information is no longer useful, as permitted by
law.
3. Minimize the collection of data containing personal
information on individuals.
B. Employees responsible for the Office of Human Resources
controlled personnel data have three responsibilities in
addition to safeguarding individual privacy: to allow an
employee access to his or her own personnel records, but under
strict supervision to avoid or prevent the possible altering
of the official file; to ensure that an employee's right to
have a single copy of any or every item in his or her
personnel folder is granted; and to ensure that personnel data
routed through the mailroom are enclosed in a sealed envelope.
C. Employees responsible for transferring data are likewise
responsible for accounting for the disclosure of records
containing identifiable personal data on individuals. Such
accounting must be made except under the following conditions:
transfer to another individual within HUD who uses this
information in the performance of his or her official duties;
4
and transfer of information under the Freedom of Information
Act (FOIA) The term "transfer" includes disclosure and
divulgence of records and information. from records to any
other agency or individual. Detailed information pertaining
to disclosure accounting requirements is contained in
paragraph 3-6 of this handbook.
D. The Assistant Secretary for Administration is responsible for
carrying out the requirements of the Privacy Act, and for
establishing such policies and procedures as are necessary for
full compliance with the Act.
E. The Departmental Privacy Act Officer within the Office of
Information Policies and Systems is responsible for
developing, implementing, and interpreting the Department's
policies and programs prescribed by the Act and the Office of
Management and Budget (OMB) Also, he or she is designated the
Privacy Act Officer for Headquarters. The Director, Office of
Human Resources, Office of Administration, is delegated
authority to act on Privacy Act inquiries and requests for
access, copying and correction of records in the Official
Personnel Files(OPFs) for employees serviced by Headquarters.
F. Privacy Act Officers are authorized to act on all Privacy Act
requests for information, including inquiry, access, change
and denial, and are responsible for ensuring that individual
rights are protected. The head of each HUD Field Office is
designated the Privacy Act Officer. This authority may be
redelegated to a staff member.
G. Privacy Act Coordinators are officially-designated Privacy Act
representatives within each Headquarters Primary Organization
and within each Office of the Assistant Secretary responsible
for maintaining liaison with the Departmental Privacy Act
Officer, and for representing their organization head in
Privacy Act activities necessary to ensure compliance (1) with
the Act and (2) with implementing OMB and Departmental
requirements. They are also responsible for providing
information to be used in responding to OMB reporting
requirements and for serving as a contact point in their
organization in responding to Privacy Act requests for access
to records.
H. The Privacy Appeals Officer is responsible for determining the
legal correctness of any denial determination that is
appealed. The General Counsel is designated as the Privacy
Appeals Officer. The Privacy Appeals Officer for the Office
of Inspector General is the Inspector General.
I. Systems Managers are responsible for the policies and
practices governing the systems of records they manage and for
ensuring that the systems they manage are operated in
5
compliance with Privacy Act and Departmental requirements.
(See Appendix E for additional detail regarding System Manager
responsibility for complying with the Privacy Act.)
J. Mailroom employees are responsible for ensuring that all
Privacy Act mail, so marked, is sent directly to the
appropriate Privacy Act Officer. Privacy Act requests should
be handled in the following manner:
1. If an envelope or a letter contains the words "Privacy,"
"Privacy Act," "Privacy Officer" or combinations of
these, it is to be forwarded directly to the Privacy Act
Officer in the local Field Office which received the
letter. If such is received in Headquarters, it should be
sent to the Departmental Privacy Act Officer, Office of
Information Policies and Systems.
2. All mail marked "Privacy Appeals Officer" or with similar
notations containing the words "Privacy" and "Appeals"
should be sent directly to the Privacy Appeals Officer,
Office of General Counsel, Washington, D. C. In the
Field, this mail is forwarded to the designated Privacy
Act Officer for forwarding to the Privacy Appeals
Officer.
1-4 CITATIONS AND REFERENCES.
THE PRIVACY ACT OF 1974
(As Amended)
Public Law 93-579
Title 5, United States Code, Section
552a
(usually cited as P.L. 93-579 or 5 USC
552a)
Computer Matching and Privacy Protection
Act
Public Law 100-503
IMPLEMENTATION OF THE PRIVACY ACT OF
1974
Rules and Regulations
Title 24, Subtitle A, Code of Federal
Regulations, Part 16
(usually cited as: 24 CFR Part 16 )
The Privacy Act of 1974 (as amended), 5 USC 552a, is contained in
6
Appendix C. A guide to the provisions of the Act and the Rules and
Regulations, in layman's language and complete with citations and
cross-references to the law and the regulations, is contained in
Appendix H.
1-5 DEFINITIONS. Both the Privacy Act and the related Departmental
regulations use terms which have specific meanings with regard to
the procedures for protecting individual privacy. These terms,
also used in this Handbook, are defined below to assist you in
understanding your rights and responsibilities, and those of the
Department, with regard to individual privacy.
A. "Accounting" means the cataloging of disclosures made to any
person or agency, public or private. No accounting is
required if the disclosure is made to: (1) the subject of the
record, (2) HUD employees who have a need to have access to
the record in the performance of their official duties, and
(3) members of the public as required. by the Freedom of
Information Act.
B. "Access" means the process of permitting individuals to see or
obtain copies of records about themselves from a Privacy Act
system of records. Under the Department's Federal Conduct
Rule at 24 CFR Part 9 , HUD must make records available to
employees in an accessible format. This may include braille,
tape, large print, readers, personal computer with voice, etc.
C. "Agency" means any Federal Department, Administration or
Office as defined under "Agency" in section 552(e) of Title 5
of the United States Code, Freedom of Information Act. This
means this Department, not a component.
D. "Appeal" means the request by an individual to have the
Department review and reverse the Privacy Act Officer's
decision to deny the individual's initial request for access
to, or correction or amendment of, a record of information
pertaining to him. The adjudication of an appeal is made by
the Privacy Appeals Officer.
E. "Denial of access or correction" means refusal by a Privacy
Act Officer to permit the subject of a record to see all or
part of this record. Denial of access only can be exercised
for records for which an exemption has been published in the
Federal Register as part of the description of that system of
records. Denial of correction, addition, or deletion of a
record is determined by a Privacy Act Officer after fully
evaluating all evidence furnished by the individual requesting
the record change.
F. "Department" means the U.S. Department of Housing and Urban
Development.
7
G. "Disclosure" means releasing any record or information on an
individual by any means of communication to any person or to
another agency, public or private.
H. "Him" or "His" means him (her) and his (hers), respectively.
I. "Individual" means a citizen of the United States or an alien
lawfully admitted for permanent residence.
J. "Inquiry" means a request by an individual or his legal
guardian to have the Department determine whether it has any
record(s) of information pertaining to him in one or more of
the systems of records covered by the Act.
K. "Maintain" means collect, maintain, use, or disseminate.
L. "Privacy Act" or "Act" means the Privacy Act of 1974, Public
Law 93-579 (5 USC 552a).
M. "Privacy Act notice means a statement, imprinted on or
attached to a request for personal information, stating; the
authority of the Agency to collect the data; the purpose or
how the information is to be used; the routine use of or other
agencies and individuals that may have access to the data;
whether it is mandatory or voluntary on the part of the
individual to supply the information; and the penalty, if any,
that may be assessed against the individual for not supplying
all or part of the information. The information in this
Notice permits an individual to make an informed decision as
to whether or not to comply with the request for personal
information.
N. "Privacy Act Request" means a request by an individual about
the existence of, access to, or amendment of a record about
himself or herself that is in a Privacy Act system of records.
The request does not have to specifically cite or otherwise
show dependence on the Act to be considered a Privacy Act
request.
O. Record" means any item, collection, or grouping of information
about an individual which also includes his name, or any
identifying number, symbol, or other particular, such as a
finger or voice print, or a photograph. Throughout this
Handbook,"Record" refers to each record in a system of
records covered by the Act.
P. "Request for access" means a request by an individual or his
legal guardian to inspect and/or copy and/or obtain a copy of
a record of information pertaining to the subject individual.
Q. "Request for correction or amendment" means the request by an
individual or his legal guardian to have the Department change
8
(either by correction, addition or deletion) a particular
record of information pertaining to the subject individual.
R. "Routine use" means the use of a record for a purpose which is
compatible with the purpose for which it was collected.
Further, it means the record may be disclosed for this purpose
without the consent of the subject of the record, to any
agency outside the Department which has been identified as
having a need for this information and these agencies and
individuals have been identified in the Federal Register
description of the system of records.
S. "Statistical record" means a record maintained for statistical
research or reporting purposes only, and is not to be used in
whole or in part in making any determination about an
identifiable individual, except as allowed for in Title 13,
Section 8, of the United States Code (which refers to the
activities of the U.S. Bureau of the Census).
T. "System Manager" means an official who is responsible for the
management, operation, and release of information from a
system of records subject to the Privacy Act.
U. "System of records" means a group of records under the control
of HUD from which information is retrieved by the name of the
individual, or by some identifying number, symbol or other
identifying characteristic unique to the individual.
CHAPTER 2. INTRODUCTION TO THE PRIVACY ACT
2-1 NECESSITY. Federal agencies collect and disseminate a great deal
of personal information about individuals. Records are maintained
on employees of the agency, persons doing business with the agency
and persons serviced by the agency. In order to safeguard the
privacy of individuals from possible infringement, either willful
or accidental, by other individuals or public agencies, the
Congress of the United States enacted and the President signed
Public Law 93-579 on December 31, 1974, entitled the "Privacy Act
of 1974." The Act was amended in 1988 to incorporate the
requirements for conducting computer matching programs. The
Congress stated the following reasons for the necessity of such a
law:
A. The privacy of an individual is directly affected by the
collection, maintenance, use and dissemination of personal
information.
B. The increasing use of computers and sophisticated -information
technology, which is essential to efficient operations and
data handling, has greatly increased the possible harm that
can occur to an individual's privacy from any collection,
maintenance, use or dissemination of personal information.
9
C. The opportunities for an individual to obtain employment,
insurance and credit, and his right to due process under the
law and other legal protections are in danger from the
possible misuse of certain information systems.
D. The right to privacy is a personal and fundamental right
protected by the Constitution of the United States.
E. In order to protect the privacy of an individual who is
identified in a Federal information system, Congress must
regulate the collection, maintenance, use and dissemination of
this information with regard to that system.
2-2 PURPOSE. The objective of the Privacy Act is to provide safeguards
for an individual against an invasion of his privacy. In order to
accomplish this, the Act requires Federal agencies to follow strict
rules of procedure, unless otherwise directed by the law:
A. An individual must be permitted to determine what records
pertaining to him are collected, maintained, used or
disseminated by Federal agencies.
B. An individual must be allowed to prevent records pertaining to
him, that were collected for a specific purpose, to be made
available for another purpose without his consent.
C. An individual must be allowed access to information pertaining
to him in agency records and to have a copy made of all or any
part of that information.
D. An individual must be given the right to seek correction or
amendment of" any agency record pertaining to him.
E. The agency may not collect, maintain, use or disseminate any
record identifying personal information unless it is for a
necessary and lawful purpose.
F. The agency must assure that any information it does collect,
maintain, use or disseminate is current and accurate for its
intended use, and that adequate safeguards exist to prevent
misuse of that information.
G. The agency may exempt records of information from specific
requirements of the Act only when an important public policy
need for the exemption has been determined by specific
statutory authority.
H. The agency will be subject to civil suit for any damages which
occur as a result of willful or intentional action which
violates any individual's rights under the Privacy Act.
10
2-3 DEPARTMENTAL POLICY. The U.S. Department of Housing and Urban
Development established its policies and procedures for
implementing the Act by adopting Part 16, Implementation of the
Privacy Act of 1974, as an amendment to Title 24 of the Code of
Federal Regulations. Part 16 sets forth the following items of
Departmental policy:
A. The Department forbids the collection, maintenance, use or
dissemination of secret records. For the purposes of the
Privacy Act, secret records are official records containing
personal information about individuals; these records are
retrieved on the basis of an unique identifier (e.g., name,
social security number) corresponding to the individual
himself and have not been published in the Federal Register.
B. The Department will ensure the protection of individual
privacy by safeguarding against the unwarranted disclosure of
records containing information on individuals.
C. The Department will act promptly on any request for
information about, for access to or for appeal against a
decision concerning records containing information on
individuals, which is made by a citizen of the United States
or an alien lawfully admitted for residence into the United
States, regardless of the age of the individual making the
request or the reason for the request.
D. The Department will maintain only information on individuals
which is relevant and necessary to the performance of its
lawful functions.
E. The Department is responsible for maintaining information on
individuals with such accuracy, relevancy, timeliness and
completeness as is reasonably necessary to assure fairness to
the individual in any determinations that are made.
F. The Department will make every effort to obtain information
about an individual directly from the individual.
G. The Department will not maintain any record describing how an
individual exercises his or her rights guaranteed by the first
Amendment (freedom of religion, speech and press, peaceful
assemblage, and petition of grievances), unless expressly
authorized by statute or by the individual.
H. The Department will ensure an individual the right to seek the
correction or amendment of any record in a system of records
pertaining to him or her.
I. The Department will review upon appeal all decisions that deny
access to or corrections and amendments of records under the
Act.
11
J. The Department requires all organizational components to
follow the same rules and procedures to assure uniformity and
consistency in implementation of the Privacy Act.
K. With respect to requests for information, the Department will
disclose the maximum amount of requested information within
the constraints of legality.
2-4 YOUR RESPONSIBILITIES. As an employee of the Department you have
certain responsibilities to assist the Department in safeguarding
your rights and those of others. These responsibilities, for which
you' are held accountable by law, are listed below:
A. Do not disclose any record contained in a system of records by
any means of communication to any person, or another agency
except under the specific conditions of disclosure stated in
the Act and in Departmental regulations.
B. Do not maintain unreported files which would come under the
Act. Paragraph 4-3 describes reporting requirements.
C. Do not maintain records describing how any individual
exercises his or her rights guaranteed by the, First Amendment
unless expressly authorized by statute or by the individual.
The First Amendment protects an individual's rights of free
assembly; freedom of religion, speech and press; and to
petition the Government.
D. Privacy rules that will help you avoid the difficulties
associated with Items A., B., and C., above, are the
following:
1. Safeguard the privacy of all individuals and the
confidentiality of all personal information.
2. Report the existence of all personal information systems
not published in the HUD Privacy Systems Notice to your
Privacy Act Officer.
3. Account for all transfers of personal records outside the
Department. See paragraph 3-6.
4. Limit the availability of records containing personal
information to Departmental employees who need them to
perform their duties.
5. Avoid unlawful possession of or unlawful disclosure of
individually identifiable information.
E. All HUD program office Records Management Liaison Officers
(RMLOs) must ensure that retention and disposition schedules
12
are in place for records in their specific program areas
covered by the Privacy Act systems of records. Existing
records disposition schedules can be found in Handbooks 2225.6
REV-1, HUD Records Disposition Schedules; and 2228.2 REV-2,
General Records Schedules.
2-5 Criminal Penalties. The Privacy Act provides the following
penalties for unauthorized disclosure of records. All three are
misdemeanors punishable by fines of $5,000.
A. Any officer or employee of an agency, who by virtue of his
employment or official position, has possession of, or access
to, agency records which contain individually identifiable
information the disclosure of which is prohibited by the
Privacy Act or by rules or regulations of the Department, and
who knowing that disclosure of the specific material is so
prohibited, will fully discloses the material in any manner to
any person or agency not entitled to receive it, shall be
guilty of a misdemeanor.
B. Any officer or employee of HUD who willfully maintains a
system of records without meeting the notice requirements in
paragraph 4-3 of this handbook shall be guilty of a
misdemeanor.
C. Any person who knowingly and willfully requests or obtains any
record concerning an individual from an agency under false
pretenses shall be guilty of a misdemeanor.
CHAPTER 3. PROCEDURES FOR PROCESSING AND MONITORING REQUESTS
FOR RECORDS SUBJECT TO THE PRIVACY ACT
3-1 Introduction. This chapter sets forth procedures for processing
requests for access to or amendment of records under the Privacy
Act. It also includes procedures for disclosing records, and
accounting for such disclosures.
3-2 Personnel involved in Privacy Act activities fall into two
categories: those who process" and disclose information and those
who make decisions concerning the disclosure of the information.
The first category includes mailroom personnel and persons
responsible for transmitting information and accounting for the
disclosures. Mailroom employee responsibilities are discussed in
paragraph 1-3. Procedures for processing requirements relating to
making decisions concerning the disclosure of the information is
discussed in this chapter. However, any questions concerning the
handling of information and/or disclosures should be resolved
directly with the Privacy Act Officer.
3-3 Relationship between the Privacy Act and the Freedom of Information
Act (FOIA) In some instances individuals requesting access to
records pertaining to themselves may not know which Act to cite as
13
the appropriate statutory authority. The following guidelines are
to ensure that the individuals receive the greatest degree of
access under both Acts:
A. Any person may use the FOIA to request access to agency
records. This includes U.S. citizens, permanent resident
aliens, foreign nationals, corporations, unincorporated
associations, universities, and state and local governments.
The FOIA enables a person to obtain access to agency records.
Only those records that are not maintained by the requester's
identifier and hence not "records" within "systems of records"
are available under FOIA.
B. Only individuals may use the Privacy Act. "Individual" is
limited to U.S. citizens and aliens lawfully admitted for
permanent residence. The Privacy Act in addition to access,
establishes a right to correct, amend, or expunge records
about an individual that are not accurate, relevant, timely
and complete. Only records that are retrieved by the
individual's personal identifier and not exempt from access
as described in paragraph 3-11 are releasable.
3-4 Choosing the Appropriate Act. When making a decision regarding
which Act to process requests for information the following factors
should be considered.
A. If the request is from an individual seeking information
pertaining to him, cites only the Privacy Act, and the
responsive documents are contained in a systems of records
pertaining to the requester, the request should be processed,
under the Privacy Act, taking into account any exemptions
available under the statute.
B. If the request cites only the FOIA, requests information about
a project, a program, an organization, etc., it should be
processed under the FOIA, taking into account only those
exemptions under the FOIA. See the FOIA handbook 1327.1, REV-
1, for more specific details relating to FOIA procedures and
processes. Additional guidance on FOIA exemptions which
allows the Department to withhold certain information can be
obtained from the Freedom of Information Officer in the Office
of Executive Secretariat.
C. If the requester cites both the Privacy Act and the FOIA,
process it under the Act that provides the greater degree of
access.
D. Do not penalize the individual access to his records otherwise
releasable, solely because he failed to cite the appropriate
statute or instruction.
3-5 Exemptions from the Privacy Act. The Privacy Act permits certain
14
types of systems of records to be exempt from access and other
provisions of the Act. There are ten exemptions which are
described at 5 U.S.C. 552a (d) (5), 5 U.S.C. 552a(j) and 5 U.S.C.
552a (k) See Appendix C, The Privacy Act of 1974, as amended, for
a detailed description of all of the exemptions. Whether a system
of records may be exempted is based on the purpose of the system of
records, not the identity of the organizational component
maintaining the records. When it is determined that a system of
records should be exempted from certain provisions of the Act, a
proposed rule must be published in the Federal Register naming
the system and stating the specific provisions of the Act from
which the system is to be exempted and the reasons. After a 30
day period for public comment, a final rule must be published in
the Federal Register. Agencies may not withhold records under an
exemption until these requirements have been met. The Privacy Act
Officer should be contacted for further guidance on whether or not
a system of records should be exempted and for assistance in
preparing the appropriate documents required for the Federal
Register Notices.
3-6 Conditions of Disclosure. The Privacy Act prohibits the Department
from disclosing any record contained in a system of records in any
way to anyone without a written request from or prior written
consent from the individual concerned in the record, unless
disclosure is for one of the following purposes:
A. Performance of duties by the officers and employees of the
Department.
B. Required in response to a request under the Freedom of
Information Act, Title 5, Section 552 of the United States
Code.
C. Routine use, as defined in 1-5, R., where the routine use and
the purpose of such use have been published in the Federal
Register.
D. To the Bureau of the Census for purposes of planning or
carrying out a census or survey or related activity pursuant
to the provisions of Title 13.
E. To a recipient who has provided HUD with advance adequate
written assurance that the record will be used solely as a
statistical research or reporting record, and the record is
disclosed in a form that is not individually identifiable.
This exception is limited to records which, even in
combination, cannot be used to identify individuals.
F. To the National Archives of the United States as a record
which has sufficient historical or other value to warrant its
continued preservation by the United States Government, or for
evaluation by the Archivist of the United States or his
15
designee to determine whether the record has such value.
G. To another agency or instrumentality of any governmental
jurisdiction within or under the control of the United States
for a criminal or civil law enforcement activity if the
activity is authorized by law and if the head of the agency or
instrumentality has made a written request to the agency
maintaining the record specifying the particular portion
desired and the law enforcement activity for which the record
is sought. The head of an agency, for purposes of this
condition of disclosure, means an official of the requesting
law enforcement agency at or above the rank of section chief
or equivalent.
H. The health or safety of an individual, and then only if the
person making the request, has shown a "compelling
circumstance" and notification of the disclosure is sent to
the individual's last known address.
I. To either house of Congress, or, to the extent of matters
within its jurisdiction, any committee or subcommittee
thereof, any joint committee of Congress or subcommittee or
any such joint committee. This does not authorize the
disclosure of a Privacy Act record to an individual member of
Congress acting in his own behalf or on the behalf of a
constituent.
J. To the Comptroller General or any of his authorized
representatives in the course of the performance of the duties
of the General Accounting Office.
K. Required by the order of a court of competent jurisdiction.
Keep in mind, however, that a subpoena routinely issued by a
court clerk is not acceptable, as it must be signed by a
judge.
L. To a consumer reporting agency in accordance with section
3711(f) of title 31. A consumer reporting agency is a person
or business which assembles and evaluates information for
third parties or makes/markets credit reports. A routine use
must be established prior to disclosing information to a
consumer reporting agency. Prior to disclosure, the agency
head must determine that a valid claim exists and inform the
individual: that the debt is overdue; that the agency intends
to notify a consumer reporting agency; what information will
be released; and that the individual may seek a full
explanation of the claim, dispute the claim and appeal the
initial agency decision with respect to the claim.
3-7 Accounting for Certain Disclosures. The Privacy Act requires
agencies to keep an accounting of disclosures made from its systems
of records so that it is simpler to trace data to be corrected, and
16
to inform individuals about disclosures made and to monitor
compliance. Accounting for disclosures means to record in some way
what was disclosed and to whom. Thus, any employee who discloses
such information must maintain a record of account. It is not
necessary to account for disclosures that transfer records to
another individual within HUD who uses the information in the
performance of his official duties or the FOIA. In the event that
a request for access is received from an agency that is not listed
under "routine use" or an individual who is not the subject of the
requested record, prior consent must be obtained from the subject
individual each and every time before that disclosure can be made.
See Exhibit 3-1 for a sample letter that may be used to inform the
subject individual of the request and Exhibit 3-2 for a sample form
that may be used to obtain consent.
A. Content of Accounting Records. The accounting record must
include the date, nature, and purpose of the disclosure, and
the name and address of the recipient. It must be kept for 5
years after the disclosure is made or the life of the record,
whichever is longer. Also, the individual must be given access
to the disclosure accountings about him. See Exhibit 3-3 for
a sample form that may be used for recording accounting
disclosures.
B. Maintaining Disclosure Accounting Records. Disclosure
accounting records are official office records and must be
kept available for reference and review. They are to be
maintained by the Office, Division or Branch that maintains
the disclosed information. Specific details of the disclosed
records should be recorded.
3-8 Inquiries Concerning Systems of Records. Anyone may inquire into
the existence of a record of information pertaining to one's self
or to a dependent child or legal ward in a system of records
maintained by the Department. Privacy Act Officers should attempt
to honor oral requests whenever possible, but in the event of
questions on the validity of the request, the Privacy Act Officer
should have a request submitted in writing.
A. Inquiries should contain the following information:
Name, address and telephone number of the requester; name,
address and telephone number of the individual to whom the
record pertains, if the individual is a minor or legal ward of
the requester; a certified or authenticated copy of documents
establishing parentage or guardianship, if such is necessary,
whether the individual to whom the record pertains is a
citizen or an alien lawfully admitted for residence into the
United States; name and location of the system of records as
published in the Federal Register; any additional information
that might assist the Department in responding to the inquiry;
date of the inquiry; the requester's signature. Exhibit 3-4
contains a sample Privacy Act request letter.
17
1. If an inquiry is misdirected, the Departmental official
receiving it should promptly refer it to the appropriate
Privacy Act Officer; the time of receipt for processing
purposes is the time that the Privacy Act Officer
receives the inquiry. The requester should be informed
of the transfer. See Exhibit 3-5 for a sample letter
informing the requester of the transfer of a Privacy Act
Request to the appropriate HUD office.
2. An historical log should be maintained by each Privacy
Act Officer for each case handled in his office.
Appendix A presents a Privacy Act Case Log for this
purpose, which should be started at the beginning of each
calendar year and retained for an additional calendar
year.
3. If a requester does not know the name of the system of
records he is concerned about, the Privacy Act Officer
will provide assistance either in person or by mail.
4. If an inquiry fails to contain all necessary information,
the Privacy Act Officer will inform the requester that
the time of receipt for processing purposes will be the
time when the additional necessary information is
received. See Exhibit 3-6 for a form letter that may be
used to obtain the additional information.
5. Once there is sufficient information to process the
request, a record search procedure must be initiated.
This involves contacting the HUD staff(s) that
maintain(s) the system(s) of records. Exhibit 3-7
contains a Record Search Procedure Log that may be
used to retain a history of this activity.
6. The Privacy Act Officer should make every effort to
respond to an inquiry within 10 working days of receipt
of the inquiry. If a response cannot be made within 10
working days, the Privacy Act Officer will notify the
requester of this fact and provide him with an estimate
of when the request would be satisfied, as well as the
reason for the delay. See Exhibit 3-8 for a sample
letter that may be used for this purpose.
7. Paragraphs 3-8 through 3-16 relate to the processing of
the various types of Privacy Act requests and the
Departmental responsibilities with respect to them.
Exhibit 3-9 contains a sample letter by which the
requester can be informed of the Departmental action
taken with respect to his request and the actions he must
take to obtain the information that was requested, if
such are necessary.
18
3-9 Individual Requests for Access to Information Maintained in Systems
of Records.
A. Individual Rights. Any individual may request access to
records maintained about him by the Department. The
Department must, upon request:
1. Inform an individual whether a system of records contains
a record or records pertaining to him;
2. Permit an individual to review any record pertaining to
him which is contained in a system of records;
3. Permit the individual to be accompanied by a person of
his choosing; and
4. Permit the individual to obtain a copy of any such record
in a form comprehensible to him at a reasonable cost.
This may include braille, tape, large print, readers,
personal computer with voice, etc. No additional fee may
be requested from an employee with a disability who
requests material in an accessible format.
B. Agency Responsibilities. Privacy Officers should attempt to
honor oral requests whenever possible, but may ask that the
request be submitted in writing. In the event that a request
is misdirected to a HUD office, the Privacy Act Officer should
transfer the request to the appropriate office and notify the
requester of the transfer. See Exhibit 3-5 for a sample
letter that may be-used to inform the requester of a transfer
to the appropriate HUD Office.
3-10 Verification of Identity. The Privacy Act requires agencies to
develop procedures to verify the identity of a person requesting to
see or copy his record, but such requirements should not be unduly
burdensome. The purpose is to reasonably ensure that a person" is
not improperly granted access to the records of another. The
following procedures should be followed before granting oral and
written requests for access to records.
A. An oral request for access must be accompanied by the
following identification:
1. A document bearing the requester's photograph (building
pass, license, etc.).
2. A document bearing the requester's signature.
3. In the event of no such document, a signed statement
asserting the requester's identity and stipulating that
the requester understands the penalty provisions of the
19
Act. See Exhibit 3-10 for an example of such a
statement.
4. If the requester is a parent or legal guardian of the
individual to whom the record pertains, the Privacy Act
Officer must also obtain proof of identification through
a certified or authenticated copy of the court's order in
the case of a ward. In no event can a parent or guardian
act for a decedent. However, access to Office of Human
Resources records maintained by the Department may be
granted to a survivor of a deceased employee, or
annuitant or someone acting in his behalf.
5. In order to facilitate processing, the Privacy Act
Officer should also determine if the request for access
is a result of an earlier inquiry.
B. Written request for access should contain the same identifying
information as required for an oral inquiry. Proof of
identity should be established by a certificate of a notary
public or equivalent officer empowered to administer oaths.
C. Whether the request for access is oral or in writing, the
following will apply;
1. If the request is misdirected the Department official
receiving it will promptly refer it to the appropriate
Privacy Act Officer; the time of receipt of the request
for processing purposes is the time the Privacy Act
Officer receives it.
2. If the request fails to contain all the necessary
information and documents, the Privacy Act Officer will
inform the requester that the time of receipt for
processing purposes will be the time when he provides the
additional information. See Exhibit 3-6 for a sample
letter that may be used for this purpose.
3. Once, in the opinion of the Privacy Act Officer, there is
sufficient information to process the request, a record
search procedure must be initiated. This involves
contacting HUD staff(s) that maintain(s) the system(s) of
records. Exhibit 3-7 contains a Record Search Information
Log that may be used to retain a history of this
activity.
4. The Privacy Act Officer will respond to a request within
10 working days of receipt of the request. If a response
cannot be made within 10 working days, the Privacy Act
Officer will notify the requester of the estimated date
that a response can be made and the reason for the delay.
See Exhibit 3-8 for a sample letter that may be used for
20
this purpose.
5. The requester shall not be required to state a reason or
otherwise justify his request for access to a record.
D. If the record is contained in a personnel file under control
of the Office of Human Resources, the request can be made
directly to the appropriate Personnel Officer who will act for
the Privacy Act Officer in this case.
3-11 Disclosure of Requested Information to Individuals. Under the
Privacy Act, an individual has access to records only if those
records are within a system of records; i.e., the records are
retrieved by the individual's name or other identifier.
A. Upon granting access to a record in response to a request for
access the Privacy Act Officer will notify the requester in
writing, providing the following information:
1. The time and place where the records will be available
for personal inspection, and the period of time that the
records will be available for inspection;
2. A copy of the information requested if no fees are
involved;
3. An indication of whether the copy will be held pending
receipt of fees to cover the cost of copying documents,
and the estimate of the fee for copying the record;
4. An indication that the requester may be accompanied by
another individual during the period of access and the
procedures required to allow that individual access to
the record. See paragraph 3-11; B., 4.;
5. And, any additional requirements needed to grant access
to a specific record.
B. The Privacy Act Officer will also ensure that:
1. Manual record files are the source for disclosing the
information and for copying purposes unless a computer
printout of the record is both easily available and
readable (clear English).
2. Any information or assistance that is needed to make the
record intelligible will be provided at the time of
access.
3. Original records will only be available under the
immediate supervision of the Privacy Act Officer or his
designee and that copies or abstracts may be available to
21
guarantee the security of the original record.
4. When the requester is accompanied by another person(s),
the individual to whom the record pertains will authorize
the presence of that other person, in writing, including
the name of the individual and the record to which access
is sought, sign the authorization and have the
accompanying individual sign the authorization in the
presence of the Privacy Act Officer (see* Exhibit 3-11
for an example of such an authorizing document).
3-12 Initial Denial of Access to Records. The Privacy Act Officer may
not deny an individual access to any record pertaining to the
individual except under highly selective conditions.
A. Grounds for denial of access to an individual's record(s)
follows:
1. The record is in a system of records which the Department
has exempted from access or in a system of records
exempted by another agency responsible for filing a
notice on the system. The exemption status of a system
of records is found in the individually published system
of, records notice.
2. The record was compiled in reasonable anticipation of a
civil action or proceeding.
3. The individual has unreasonably failed to comply with
procedural requirements for requesting access.
B. Notification of denial of a request for access must be in
writing and should include the following information:
1. The Privacy Act Officer's name and title or position.
2. The date of the denial.
3. The reason(s) for the denial, including citation to the
appropriate section(s) of the Act and the Departmental
regulations.
4. The individual's opportunity for an administrative review
of the denial through a Departmental appeal procedure,
which includes a written request for review within 30
calendar days that contains copies of the original
request for access, and a statement of why the denial is
believed to be in error.
5. The name and address of the Departmental Privacy Appeals
Officer.
22
6. If the denial is administratively final (that is, no
opportunity for an appeal), then state the individuals
right to judicial review, including citation of the
appropriate section(s) of the Act and the Departmental
regulations. This can occur when the request for access
is to another agency's record in your possession which
has been exempted by them under the provisions for a
"General Exemption."
3-13 Appeal of Initial Denial of Access to Records. The Privacy Appeals
Officer will review any initial denial of access to records only if
a written request for the review is filed within 30 calendar days
from the date of the notification of denial of access to the
record.
A. The appeal package must contain:
1. A copy of the request for access.
2. A copy of the written denial of the request for access.
3. A statement of the reasons why the initial denial is
believed to be in error.
4. The individual's signature.
B. The procedures and processing relating to appeal requirements
are contained in Appendix D.
3-14 Request for Correction or Amendment to a Record. Any individual
may submit a request to the Department for correction or amendment
of a record pertaining to that individual, or to a dependent child
or legal ward. Privacy Act Officers should attempt to honor oral
requests whenever possible, but they may require that the request
be submitted in writing.
A. The request for correction or amendment should include the
following information:
1. A specific identification of the record sought to be
corrected or amended.
2. The specific wording to be deleted, if any.
3. The specific wording to be added, if any, and the exact
place at which it is to be inserted or added.
4. A statement of the basis for the requested correction or
amendment, including all available supporting documents
or materials which substantiate the statement.
5. Since the request, in all cases, will follow a previous
23
request for access, the individual's identity will be
established by his signature on or accompanying the
request.
B. Upon receipt of the request for correction or amendment to a
record, the Privacy Act Officer will make a determination
within 10 working days, to do one of the following:
1. Make the requested correction or amendment and notify the
individual of the action taken;
2. Acknowledge receipt of the request and provide an
estimate of time within which action will be taken,
explaining to the requester any unusual circumstances
(such as, records are in inactive storage, field
facilities or other establishments; voluminous data are
involved, information on other individuals must be
separated or deleted; consultation with other agencies
having a substantial interest in the determination are
necessary). The Privacy Act Officer may also ask for
such further information as may be necessary to process
the request; or,
3. Inform the individual in writing that the request is
denied.
C. Upon receipt of further information that may have been
requested, the Privacy Act Officer will acknowledge within 10
working days and promptly determine to do one of the
following:
1. Make the requested correction or amendment and notify the
individual of the action taken, providing, when feasible,
a copy of the corrected or amended record.
(a) If the uncorrected record has been disclosed to a
person or an agency and an accounting was made of
the disclosure, the Privacy Officer will notify all
such persons and agencies of the correction or
amendment.
(b) A recipient agency maintaining the record must
acknowledge receipt of the notification, correct or
amend the record, and notify any other person or
agency to whom it has disclosed the record,
providing an accounting was made of the disclosure,
of the substance of the correction or amendment.
2. Inform the individual in writing that the request is
denied.
3-15 Criteria for Considering a Request for Correction or Amendment.
24
The Privacy Act Officer will consider the following criteria in
making a determination on a request to correct or amend an
individual's record:
A. The sufficiency of the evidence submitted by the individual.
B. The factual accuracy of the information.
C. The relevance and necessity of the information in terms of
purpose for which it was collected.
D. The timeliness and currency of the information in terms of the
purpose for which it was collected.
E. The completeness of the information in terms of the purpose
fo
