Fill and Sign the Privacy Act Handbook Form

1 HUD Privacy Act Handbook Directive Number: 1325.1 U.S. Department of Housing and Urban Development Office of Administration 1325.01 REV-1 TABLE OF CONTENTS Paragraph Page CHAPTER 1. INTRODUCTION TO THE HANDBOOK 1-1 Purpose 1-11-2 Records Subject to the Privacy Act 1-11-3 HUD Employees and the Privacy Act 1-11-4 Citations and References 1-41-5 Definitions 1-5 CHAPTER 2. INTRODUCTION TO THE PRIVACY ACT 2-1 Necessity 2-12-2 Purpose 2-12-3 Departmental Policy 2-22-4 Your Responsibilities 2-42-5 Criminal Penalties 2-5 CHAPTER 3. PROCEDURES FOR PROCESSING AND MONITORING REQUESTS FOR RECORDS SUBJECT TO THE PRIVACY ACT 3-1 Introduction 3-13-2 Personnel involved in Privacy Act 3-13-3 Relationship between the Privacy Act and the Freedom of Information Act 3-13-4 Choosing the Appropriate Act 3-23-5 Exemptions from the Privacy Act 3-23-6 Conditions of Disclosure 3-33-7 Accounting for Certain Disclosures 3-53-8 Inquiries concerning Systems of Records 3-53-9 Individual requests for Access to Information maintained in Systems of Records 3-73-10 Verification of Identity 3-83-11 Disclosure of Requested Information to Individuals 3-103-12 Initial Denial of Access to Records 3-113-13 Appeal of Initial Denial of Access to Records 3-123-14 Request for Correction or Amendment to a Record 3-123-15 Criteria for Considering a Request for Correction 2 or Amendment 3-143-16 Initial Denial to Correct or Amend a Record 3-153-17 Appeal from Initial Denial to Correct or Amend a Record 3-163-18 Reproduction Fees 3-16 CHAPTER 4. ESTABLISHING AND MANAGING PRIVACY ACT SYSTEMS OF RECORDS 4-1 Introduction 4-14-2 Responsibilities of -the System Manager 4-14-3 Situations Requiring a Report and Federal Register Notice 4-24-4 Contents of the New or Altered System Report 4-44-5 Timing, OMB Concurrence, and Publication of the Federal Register Notice 4-5 CHAPTER 5. COMPUTER MATCHING PROGRAMS 5-1 General 5-15-2 Definitions 5-15-3 The Data Integrity Board 5-45-4 Conducting Matching Programs 5-55-5 Due Process for Matching Subjects 5-8 CHAPTER 6. APPLICATION OF THE PRIVACY ACT TO OTHER RELATED FUNCTIONS 6-1 Introduction 6-16-2 Automated Data Reporting Systems 6-16-3 ADP Security 6-26-4 Procurement of Computer Equipment and Systems 6-36-5 Procurement and Contracts 6-36-6 Forms and Reports Management 6-46-7 The Privacy Conscience of the Department 6-4 CHAPTER 7. REPORTING REQUIREMENTS 7-1 Introduction 7-17-2 Examples of Privacy Act Reviews 7-17-3 Privacy Act Reports 7-2 Appendices A. Privacy Act Case LogB. Privacy Act Officers' LocationsC. Privacy Act of 1974 (as amended)D. Appeal ProceduresE. Responsibilities of Privacy Act Systems Managers 3F. Computer Matching Programs TimetableG. Guidelines for Establishing Safeguards for Records Subject to the Privacy ActH. Guide to the Privacy Act of 1974 and the Departmental Privacy Act RegulationsI. Privacy Act Systems of Records LIST OF EXHIBITS Exhibit Number Page 3-1 Sample Letter to Inform Individual of a Request for Access to his Personal information 3-183-2 Sample Form to Obtain Consent to Disclose Personal Information 3-193-3 Sample form for recording accounting disclosures 3-203-4 Sample Privacy Act Request Letter 3-213-5 Sample Letter Informing Requester of Transfer of Privacy Act Request to Appropriate HUD Office 3-223-6 Sample Letter used to obtain additional information 3-233-7 Sample Record Search Information Log 3-243-8 Sample Letter for Privacy Act Processing over 10 days 3-253-9 Sample Letter to Inform Requester of Departmental Action 3-263-10 Sample Statement of Identity 3-283-11 Sample Requester's Authorization for an Accompanying Individual 3-294-1 Sample of a New System of Records Notice 4-94-2 Sample of an Altered or Amended System of Records Notice 4-14 CHAPTER 1. INTRODUCTION TO THE HANDBOOK 1-1 PURPOSE. This Handbook has two main goals. A. To provide every employee of the Department with information on their rights and responsibilities under the Privacy Act. B. To establish policies, procedures, requirements and guidelines for the implementation of the Department's Privacy Act responsibilities. 1-2 RECORDS SUBJECT TO THE PRIVACY ACT (PRIVACY ACT RECORDS). A group of records is subject to the Privacy Act if it satisfies all three of the following criteria: A. Contains an item, collection, or grouping of information about an individual. B. Contains name, or identifying number, symbol, or other identifying particular assigned to the individual such as a finger or voice print. 4 C. Consists of a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 1-3 HUD EMPLOYEES AND THE PRIVACY ACT. The Privacy Act imposes requirements on staff members performing in different roles. Each of the roles carries with it special activities with regard to safeguarding the rights of others and carrying out the responsibilities of the Department. The roles are highlighted below: A. Every employee must safeguard the privacy of every other person, both employee and citizen-client of the Department. This can be accomplished in three ways: 1. Do not let anyone have access to records under your control which contain personal information unless it is: in the performance of official duties (including "routine use" transfers of data); required under the Freedom of Information Act; by direction of a Privacy Act Officer; by direction of the Privacy Appeals Officer (following an appeal of a denial); or under one of the other conditions of disclosure listed in paragraph 3-5 of this handbook. 2. Purge your files of personal data on individuals as soon as the information is no longer useful, as permitted by law. 3. Minimize the collection of data containing personal information on individuals. B. Employees responsible for the Office of Human Resources controlled personnel data have three responsibilities in addition to safeguarding individual privacy: to allow an employee access to his or her own personnel records, but under strict supervision to avoid or prevent the possible altering of the official file; to ensure that an employee's right to have a single copy of any or every item in his or her personnel folder is granted; and to ensure that personnel data routed through the mailroom are enclosed in a sealed envelope. C. Employees responsible for transferring data are likewise responsible for accounting for the disclosure of records containing identifiable personal data on individuals. Such accounting must be made except under the following conditions: transfer to another individual within HUD who uses this information in the performance of his or her official duties; 5 and transfer of information under the Freedom of Information Act (FOIA) The term "transfer" includes disclosure and divulgence of records and information. from records to any other agency or individual. Detailed information pertaining to disclosure accounting requirements is contained in paragraph 3-6 of this handbook. D. The Assistant Secretary for Administration is responsible for carrying out the requirements of the Privacy Act, and for establishing such policies and procedures as are necessary for full compliance with the Act. E. The Departmental Privacy Act Officer within the Office of Information Policies and Systems is responsible for developing, implementing, and interpreting the Department's policies and programs prescribed by the Act and the Office of Management and Budget (OMB) Also, he or she is designated the Privacy Act Officer for Headquarters. The Director, Office of Human Resources, Office of Administration, is delegatedauthority to act on Privacy Act inquiries and requests for access, copying and correction of records in the Official Personnel Files(OPFs) for employees serviced by Headquarters. F. Privacy Act Officers are authorized to act on all Privacy Act requests for information, including inquiry, access, change and denial, and are responsible for ensuring that individual rights are protected. The head of each HUD Field Office is designated the Privacy Act Officer. This authority may be redelegated to a staff member. G. Privacy Act Coordinators are officially-designated Privacy Act representatives within each Headquarters Primary Organization and within each Office of the Assistant Secretary responsible for maintaining liaison with the Departmental Privacy Act Officer, and for representing their organization head in Privacy Act activities necessary to ensure compliance (1) with the Act and (2) with implementing OMB and Departmental requirements. They are also responsible for providing information to be used in responding to OMB reporting requirements and for serving as a contact point in their organization in responding to Privacy Act requests for access to records. H. The Privacy Appeals Officer is responsible for determining the legal correctness of any denial determination that is appealed. The General Counsel is designated as the Privacy Appeals Officer. The Privacy Appeals Officer for the Office of Inspector General is the Inspector General. I. Systems Managers are responsible for the policies and practices governing the systems of records they manage and for ensuring that the systems they manage are operated in 6 compliance with Privacy Act and Departmental requirements. (See Appendix E for additional detail regarding System Manager responsibility for complying with the Privacy Act.) J. Mailroom employees are responsible for ensuring that all Privacy Act mail, so marked, is sent directly to the appropriate Privacy Act Officer. Privacy Act requests should be handled in the following manner: 1. If an envelope or a letter contains the words "Privacy," "Privacy Act," "Privacy Officer" or combinations of these, it is to be forwarded directly to the Privacy ActOfficer in the local Field Office which received the letter. If such is received in Headquarters, it should be sent to the Departmental Privacy Act Officer, Office of Information Policies and Systems. 2. All mail marked "Privacy Appeals Officer" or with similar notations containing the words "Privacy" and "Appeals" should be sent directly to the Privacy Appeals Officer, Office of General Counsel, Washington, D. C. In the Field, this mail is forwarded to the designated Privacy Act Officer for forwarding to the Privacy Appeals Officer. 1-4 CITATIONS AND REFERENCES. THE PRIVACY ACT OF 1974 (As Amended) Public Law 93-579 Title 5, United States Code, Section 552a (usually cited as P.L. 93-579 or 5 USC 552a) Computer Matching and Privacy Protection Act Public Law 100-503 IMPLEMENTATION OF THE PRIVACY ACT OF 1974 Rules and Regulations Title 24, Subtitle A, Code of Federal Regulations, Part 16 (usually cited as: 24 CFR Part 16) The Privacy Act of 1974 (as amended), 5 USC 552a, is contained in 7 Appendix C. A guide to the provisions of the Act and the Rules and Regulations, in layman's language and complete with citations and cross-references to the law and the regulations, is contained in Appendix H. 1-5 DEFINITIONS. Both the Privacy Act and the related Departmental regulations use terms which have specific meanings with regard to the procedures for protecting individual privacy. These terms, also used in this Handbook, are defined below to assist you in understanding your rights and responsibilities, and those of the Department, with regard to individual privacy. A. "Accounting" means the cataloging of disclosures made to any person or agency, public or private. No accounting is required if the disclosure is made to: (1) the subject of the record, (2) HUD employees who have a need to have access to the record in the performance of their official duties, and (3) members of the public as required. by the Freedom of Information Act. B. "Access" means the process of permitting individuals to see or obtain copies of records about themselves from a Privacy Act system of records. Under the Department's Federal Conduct Rule at 24 CFR Part 9, HUD must make records available to employees in an accessible format. This may include braille, tape, large print, readers, personal computer with voice, etc. C. "Agency" means any Federal Department, Administration or Office as defined under "Agency" in section 552(e) of Title 5 of the United States Code, Freedom of Information Act. This means this Department, not a component. D. "Appeal" means the request by an individual to have the Department review and reverse the Privacy Act Officer's decision to deny the individual's initial request for access to, or correction or amendment of, a record of information pertaining to him. The adjudication of an appeal is made by the Privacy Appeals Officer. E. "Denial of access or correction" means refusal by a Privacy Act Officer to permit the subject of a record to see all or part of this record. Denial of access only can be exercised for records for which an exemption has been published in the Federal Register as part of the description of that system of records. Denial of correction, addition, or deletion of a record is determined by a Privacy Act Officer after fully evaluating all evidence furnished by the individual requesting the record change. F. "Department" means the U.S. Department of Housing and Urban Development. 8 G. "Disclosure" means releasing any record or information on an individual by any means of communication to any person or to another agency, public or private. H. "Him" or "His" means him (her) and his (hers), respectively. I. "Individual" means a citizen of the United States or an alien lawfully admitted for permanent residence. J. "Inquiry" means a request by an individual or his legal guardian to have the Department determine whether it has any record(s) of information pertaining to him in one or more of the systems of records covered by the Act. K. "Maintain" means collect, maintain, use, or disseminate. L. "Privacy Act" or "Act" means the Privacy Act of 1974, Public Law 93-579 (5 USC 552a). M. "Privacy Act notice means a statement, imprinted on or attached to a request for personal information, stating; the authority of the Agency to collect the data; the purpose or how the information is to be used; the routine use of or other agencies and individuals that may have access to the data; whether it is mandatory or voluntary on the part of the individual to supply the information; and the penalty, if any, that may be assessed against the individual for not supplying all or part of the information. The information in this Notice permits an individual to make an informed decision as to whether or not to comply with the request for personal information. N. "Privacy Act Request" means a request by an individual about the existence of, access to, or amendment of a record about himself or herself that is in a Privacy Act system of records. The request does not have to specifically cite or otherwise show dependence on the Act to be considered a Privacy Act request. O. Record" means any item, collection, or grouping of information about an individual which also includes his name, or any identifying number, symbol, or other particular, such as afinger or voice print, or a photograph. Throughout this Handbook,"Record" refers to each record in a system of records covered by the Act. P. "Request for access" means a request by an individual or his legal guardian to inspect and/or copy and/or obtain a copy of a record of information pertaining to the subject individual. Q. "Request for correction or amendment" means the request by an individual or his legal guardian to have the Department change 9 (either by correction, addition or deletion) a particular record of information pertaining to the subject individual. R. "Routine use" means the use of a record for a purpose which is compatible with the purpose for which it was collected. Further, it means the record may be disclosed for this purpose without the consent of the subject of the record, to any agency outside the Department which has been identified as having a need for this information and these agencies and individuals have been identified in the Federal Register description of the system of records. S. "Statistical record" means a record maintained for statistical research or reporting purposes only, and is not to be used in whole or in part in making any determination about an identifiable individual, except as allowed for in Title 13, Section 8, of the United States Code (which refers to the activities of the U.S. Bureau of the Census). T. "System Manager" means an official who is responsible for the management, operation, and release of information from a system of records subject to the Privacy Act. U. "System of records" means a group of records under the control of HUD from which information is retrieved by the name of the individual, or by some identifying number, symbol or other identifying characteristic unique to the individual. CHAPTER 2. INTRODUCTION TO THE PRIVACY ACT 2-1 NECESSITY. Federal agencies collect and disseminate a great deal of personal information about individuals. Records are maintained on employees of the agency, persons doing business with the agency and persons serviced by the agency. In order to safeguard the privacy of individuals from possible infringement, either willful or accidental, by other individuals or public agencies, the Congress of the United States enacted and the President signed Public Law 93-579 on December 31, 1974, entitled the "Privacy Act of 1974." The Act was amended in 1988 to incorporate the requirements for conducting computer matching programs. The Congress stated the following reasons for the necessity of such a law: A. The privacy of an individual is directly affected by the collection, maintenance, use and dissemination of personal information. B. The increasing use of computers and sophisticated -information technology, which is essential to efficient operations and data handling, has greatly increased the possible harm that can occur to an individual's privacy from any collection, maintenance, use or dissemination of personal information. 10 C. The opportunities for an individual to obtain employment, insurance and credit, and his right to due process under the law and other legal protections are in danger from the possible misuse of certain information systems. D. The right to privacy is a personal and fundamental right protected by the Constitution of the United States. E. In order to protect the privacy of an individual who is identified in a Federal information system, Congress must regulate the collection, maintenance, use and dissemination of this information with regard to that system. 2-2 PURPOSE. The objective of the Privacy Act is to provide safeguards for an individual against an invasion of his privacy. In order to accomplish this, the Act requires Federal agencies to follow strict rules of procedure, unless otherwise directed by the law: A. An individual must be permitted to determine what records pertaining to him are collected, maintained, used or disseminated by Federal agencies. B. An individual must be allowed to prevent records pertaining to him, that were collected for a specific purpose, to be made available for another purpose without his consent. C. An individual must be allowed access to information pertaining to him in agency records and to have a copy made of all or any part of that information. D. An individual must be given the right to seek correction or amendment of" any agency record pertaining to him. E. The agency may not collect, maintain, use or disseminate any record identifying personal information unless it is for a necessary and lawful purpose. F. The agency must assure that any information it does collect, maintain, use or disseminate is current and accurate for its intended use, and that adequate safeguards exist to prevent misuse of that information. G. The agency may exempt records of information from specific requirements of the Act only when an important public policy need for the exemption has been determined by specific statutory authority. H. The agency will be subject to civil suit for any damages which occur as a result of willful or intentional action which violates any individual's rights under the Privacy Act. 112-3 DEPARTMENTAL POLICY. The U.S. Department of Housing and Urban Development established its policies and procedures for implementing the Act by adopting Part 16, Implementation of the Privacy Act of 1974, as an amendment to Title 24 of the Code of Federal Regulations. Part 16 sets forth the following items of Departmental policy: A. The Department forbids the collection, maintenance, use or dissemination of secret records. For the purposes of the Privacy Act, secret records are official records containing personal information about individuals; these records are retrieved on the basis of an unique identifier (e.g., name, social security number) corresponding to the individual himself and have not been published in the Federal Register. B. The Department will ensure the protection of individual privacy by safeguarding against the unwarranted disclosure of records containing information on individuals. C. The Department will act promptly on any request for information about, for access to or for appeal against a decision concerning records containing information on individuals, which is made by a citizen of the United States or an alien lawfully admitted for residence into the United States, regardless of the age of the individual making the request or the reason for the request. D. The Department will maintain only information on individuals which is relevant and necessary to the performance of its lawful functions. E. The Department is responsible for maintaining information on individuals with such accuracy, relevancy, timeliness and completeness as is reasonably necessary to assure fairness to the individual in any determinations that are made. F. The Department will make every effort to obtain information about an individual directly from the individual. G. The Department will not maintain any record describing how an individual exercises his or her rights guaranteed by the first Amendment (freedom of religion, speech and press, peaceful assemblage, and petition of grievances), unless expressly authorized by statute or by the individual. H. The Department will ensure an individual the right to seek the correction or amendment of any record in a system of records pertaining to him or her. I. The Department will review upon appeal all decisions that deny access to or corrections and amendments of records under the Act. 12 J. The Department requires all organizational components to follow the same rules and procedures to assure uniformity and consistency in implementation of the Privacy Act. K. With respect to requests for information, the Department will disclose the maximum amount of requested information within the constraints of legality. 2-4 YOUR RESPONSIBILITIES. As an employee of the Department you have certain responsibilities to assist the Department in safeguarding your rights and those of others. These responsibilities, for which you' are held accountable by law, are listed below: A. Do not disclose any record contained in a system of records by any means of communication to any person, or another agency except under the specific conditions of disclosure stated in the Act and in Departmental regulations. B. Do not maintain unreported files which would come under the Act. Paragraph 4-3 describes reporting requirements. C. Do not maintain records describing how any individual exercises his or her rights guaranteed by the, First Amendment unless expressly authorized by statute or by the individual. The First Amendment protects an individual's rights of free assembly; freedom of religion, speech and press; and to petition the Government. D. Privacy rules that will help you avoid the difficulties associated with Items A., B., and C., above, are the following: 1. Safeguard the privacy of all individuals and the confidentiality of all personal information. 2. Report the existence of all personal information systems not published in the HUD Privacy Systems Notice to your Privacy Act Officer. 3. Account for all transfers of personal records outside the Department. See paragraph 3-6. 4. Limit the availability of records containing personal information to Departmental employees who need them to perform their duties. 5. Avoid unlawful possession of or unlawful disclosure of individually identifiable information. E. All HUD program office Records Management Liaison Officers (RMLOs) must ensure that retention and disposition schedules 13 are in place for records in their specific program areas covered by the Privacy Act systems of records. Existing records disposition schedules can be found in Handbooks 2225.6 REV-1, HUD Records Disposition Schedules; and 2228.2 REV-2, General Records Schedules. 2-5 Criminal Penalties. The Privacy Act provides the following penalties for unauthorized disclosure of records. All three are misdemeanors punishable by fines of $5,000. A. Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by the Privacy Act or by rules or regulations of the Department, and who knowing that disclosure of the specific material is so prohibited, will fully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor. B. Any officer or employee of HUD who willfully maintains a system of records without meeting the notice requirements in paragraph 4-3 of this handbook shall be guilty of a misdemeanor. C. Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor. CHAPTER 3. PROCEDURES FOR PROCESSING AND MONITORING REQUESTS FOR RECORDS SUBJECT TO THE PRIVACY ACT 3-1 Introduction. This chapter sets forth procedures for processing requests for access to or amendment of records under the Privacy Act. It also includes procedures for disclosing records, and accounting for such disclosures. 3-2 Personnel involved in Privacy Act activities fall into two categories: those who process" and disclose information and those who make decisions concerning the disclosure of the information. The first category includes mailroom personnel and persons responsible for transmitting information and accounting for the disclosures. Mailroom employee responsibilities are discussed in paragraph 1-3. Procedures for processing requirements relating to making decisions concerning the disclosure of the information is discussed in this chapter. However, any questions concerning the handling of information and/or disclosures should be resolved directly with the Privacy Act Officer. 3-3 Relationship between the Privacy Act and the Freedom of Information Act (FOIA) In some instances individuals requesting access to records pertaining to themselves may not know which Act to cite as 14 the appropriate statutory authority. The following guidelines are to ensure that the individuals receive the greatest degree of access under both Acts: A. Any person may use the FOIA to request access to agency records. This includes U.S. citizens, permanent resident aliens, foreign nationals, corporations, unincorporated associations, universities, and state and local governments. The FOIA enables a person to obtain access to agency records. Only those records that are not maintained by the requester's identifier and hence not "records" within "systems of records" are available under FOIA. B. Only individuals may use the Privacy Act. "Individual" is limited to U.S. citizens and aliens lawfully admitted for permanent residence. The Privacy Act in addition to access, establishes a right to correct, amend, or expunge records about an individual that are not accurate, relevant, timely and complete. Only records that are retrieved by the individual's personal identifier and not exempt from access as described in paragraph 3-11 are releasable. 3-4 Choosing the Appropriate Act. When making a decision regarding which Act to process requests for information the following factors should be considered. A. If the request is from an individual seeking information pertaining to him, cites only the Privacy Act, and the responsive documents are contained in a systems of records pertaining to the requester, the request should be processed, under the Privacy Act, taking into account any exemptions available under the statute. B. If the request cites only the FOIA, requests information about a project, a program, an organization, etc., it should be processed under the FOIA, taking into account only those exemptions under the FOIA. See the FOIA handbook 1327.1, REV- 1, for more specific details relating to FOIA procedures and processes. Additional guidance on FOIA exemptions which allows the Department to withhold certain information can be obtained from the Freedom of Information Officer in the Office of Executive Secretariat. C. If the requester cites both the Privacy Act and the FOIA, process it under the Act that provides the greater degree of access. D. Do not penalize the individual access to his records otherwise releasable, solely because he failed to cite the appropriate statute or instruction. 3-5 Exemptions from the Privacy Act. The Privacy Act permits certain 15 types of systems of records to be exempt from access and other provisions of the Act. There are ten exemptions which are described at 5 U.S.C. 552a (d) (5), 5 U.S.C. 552a(j) and 5 U.S.C. 552a (k) See Appendix C, The Privacy Act of 1974, as amended, for a detailed description of all of the exemptions. Whether a system of records may be exempted is based on the purpose of the system of records, not the identity of the organizational component maintaining the records. When it is determined that a system of records should be exempted from certain provisions of the Act, a proposed rule must be published in the Federal Register naming the system and stating the specific provisions of the Act from which the system is to be exempted and the reasons. After a 30 day period for public comment, a final rule must be published in the Federal Register. Agencies may not withhold records under an exemption until these requirements have been met. The Privacy Act Officer should be contacted for further guidance on whether or not a system of records should be exempted and for assistance in preparing the appropriate documents required for the Federal Register Notices. 3-6 Conditions of Disclosure. The Privacy Act prohibits the Department from disclosing any record contained in a system of records in any way to anyone without a written request from or prior written consent from the individual concerned in the record, unless disclosure is for one of the following purposes: A. Performance of duties by the officers and employees of the Department. B. Required in response to a request under the Freedom of Information Act, Title 5, Section 552 of the United States Code. C. Routine use, as defined in 1-5, R., where the routine use and the purpose of such use have been published in the Federal Register. D. To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title 13. E. To a recipient who has provided HUD with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is disclosed in a form that is not individually identifiable. This exception is limited to records which, even in combination, cannot be used to identify individuals. F. To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or his 16 designee to determine whether the record has such value. G. To another agency or instrumentality of any governmental jurisdiction within or under the control of the United States for a criminal or civil law enforcement activity if the activity is authorized by law and if the head of the agency or instrumentality has made a written request to the agency maintaining the record specifying the particular portion desired and the law enforcement activity for which the record is sought. The head of an agency, for purposes of this condition of disclosure, means an official of the requesting law enforcement agency at or above the rank of section chief or equivalent. H. The health or safety of an individual, and then only if the person making the request, has shown a "compelling circumstance" and notification of the disclosure is sent to the individual's last known address. I. To either house of Congress, or, to the extent of matters within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee or any such joint committee. This does not authorize the disclosure of a Privacy Act record to an individual member of Congress acting in his own behalf or on the behalf of a constituent. J. To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the General Accounting Office. K. Required by the order of a court of competent jurisdiction. Keep in mind, however, that a subpoena routinely issued by a court clerk is not acceptable, as it must be signed by a judge. L. To a consumer reporting agency in accordance with section 3711(f) of title 31. A consumer reporting agency is a person or business which assembles and evaluates information for third parties or makes/markets credit reports. A routine use must be established prior to disclosing information to a consumer reporting agency. Prior to disclosure, the agency head must determine that a valid claim exists and inform the individual: that the debt is overdue; that the agency intends to notify a consumer reporting agency; what information will be released; and that the individual may seek a full explanation of the claim, dispute the claim and appeal the initial agency decision with respect to the claim. 3-7 Accounting for Certain Disclosures. The Privacy Act requires agencies to keep an accounting of disclosures made from its systems of records so that it is simpler to trace data to be corrected, and 17 to inform individuals about disclosures made and to monitor compliance. Accounting for disclosures means to record in some way what was disclosed and to whom. Thus, any employee who discloses such information must maintain a record of account. It is not necessary to account for disclosures that transfer records to another individual within HUD who uses the information in the performance of his official duties or the FOIA. In the event that a request for access is received from an agency that is not listed under "routine use" or an individual who is not the subject of the requested record, prior consent must be obtained from the subject individual each and every time before that disclosure can be made. See Exhibit 3-1 for a sample letter that may be used to inform the subject individual of the request and Exhibit 3-2 for a sample form that may be used to obtain consent. A. Content of Accounting Records. The accounting record must include the date, nature, and purpose of the disclosure, and the name and address of the recipient. It must be kept for 5 years after the disclosure is made or the life of the record, whichever is longer. Also, the individual must be given access to the disclosure accountings about him. See Exhibit 3-3 for a sample form that may be used for recording accounting disclosures. B. Maintaining Disclosure Accounting Records. Disclosure accounting records are official office records and must be kept available for reference and review. They are to be maintained by the Office, Division or Branch that maintains the disclosed information. Specific details of the disclosed records should be recorded. 3-8 Inquiries Concerning Systems of Records. Anyone may inquire into the existence of a record of information pertaining to one's self or to a dependent child or legal ward in a system of records maintained by the Department. Privacy Act Officers should attempt to honor oral requests whenever possible, but in the event of questions on the validity of the request, the Privacy Act Officer should have a request submitted in writing. A. Inquiries should contain the following information: Name, address and telephone number of the requester; name, address and telephone number of the individual to whom the record pertains, if the individual is a minor or legal ward of the requester; a certified or authenticated copy of documents establishing parentage or guardianship, if such is necessary, whether the individual to whom the record pertains is a citizen or an alien lawfully admitted for residence into the United States; name and location of the system of records as published in the Federal Register; any additional information that might assist the Department in responding to the inquiry; date of the inquiry; the requester's signature. Exhibit 3-4 contains a sample Privacy Act request letter. 18 1. If an inquiry is misdirected, the Departmental official receiving it should promptly refer it to the appropriate Privacy Act Officer; the time of receipt for processing purposes is the time that the Privacy Act Officer receives the inquiry. The requester should be informed of the transfer. See Exhibit 3-5 for a sample letter informing the requester of the transfer of a Privacy Act Request to the appropriate HUD office. 2. An historical log should be maintained by each Privacy Act Officer for each case handled in his office. Appendix A presents a Privacy Act Case Log for this purpose, which should be started at the beginning of each calendar year and retained for an additional calendar year. 3. If a requester does not know the name of the system of records he is concerned about, the Privacy Act Officer will provide assistance either in person or by mail. 4. If an inquiry fails to contain all necessary information, the Privacy Act Officer will inform the requester that the time of receipt for processing purposes will be the time when the additional necessary information is received. See Exhibit 3-6 for a form letter that may be used to obtain the additional information. 5. Once there is sufficient information to process the request, a record search procedure must be initiated. This involves contacting the HUD staff(s) that maintain(s) the system(s) of records. Exhibit 3-7 contains a Record Search Procedure Log that may be used to retain a history of this activity. 6. The Privacy Act Officer should make every effort to respond to an inquiry within 10 working days of receipt of the inquiry. If a response cannot be made within 10 working days, the Privacy Act Officer will notify the requester of this fact and provide him with an estimate of when the request would be satisfied, as well as the reason for the delay. See Exhibit 3-8 for a sample letter that may be used for this purpose. 7. Paragraphs 3-8 through 3-16 relate to the processing of the various types of Privacy Act requests and the Departmental responsibilities with respect to them. Exhibit 3-9 contains a sample letter by which the requester can be informed of the Departmental action taken with respect to his request and the actions he must take to obtain the information that was requested, if such are necessary. 19 3-9 Individual Requests for Access to Information Maintained in Systems of Records. A. Individual Rights. Any individual may request access to records maintained about him by the Department. The Department must, upon request: 1. Inform an individual whether a system of records contains a record or records pertaining to him; 2. Permit an individual to review any record pertaining to him which is contained in a system of records; 3. Permit the individual to be accompanied by a person of his choosing; and 4. Permit the individual to obtain a copy of any such record in a form comprehensible to him at a reasonable cost. This may include braille, tape, large print, readers, personal computer with voice, etc. No additional fee may be requested from an employee with a disability who requests material in an accessible format. B. Agency Responsibilities. Privacy Officers should attempt to honor oral requests whenever possible, but may ask that the request be submitted in writing. In the event that a request is misdirected to a HUD office, the Privacy Act Officer should transfer the request to the appropriate office and notify the requester of the transfer. See Exhibit 3-5 for a sample letter that may be-used to inform the requester of a transfer to the appropriate HUD Office. 3-10 Verification of Identity. The Privacy Act requires agencies to develop procedures to verify the identity of a person requesting to see or copy his record, but such requirements should not be unduly burdensome. The purpose is to reasonably ensure that a person" is not improperly granted access to the records of another. The following procedures should be followed before granting oral and written requests for access to records. A. An oral request for access must be accompanied by the following identification: 1. A document bearing the requester's photograph (building pass, license, etc.). 2. A document bearing the requester's signature. 3. In the event of no such document, a signed statement asserting the requester's identity and stipulating that the requester understands the penalty provisions of the 20 Act. See Exhibit 3-10 for an example of such a statement. 4. If the requester is a parent or legal guardian of the individual to whom the record pertains, the Privacy Act Officer must also obtain proof of identification through a certified or authenticated copy of the court's order in the case of a ward. In no event can a parent or guardian act for a decedent. However, access to Office of Human Resources records maintained by the Department may be granted to a survivor of a deceased employee, or annuitant or someone acting in his behalf. 5. In order to facilitate processing, the Privacy Act Officer should also determine if the request for access is a result of an earlier inquiry. B. Written request for access should contain the same identifying information as required for an oral inquiry. Proof of identity should be established by a certificate of a notary public or equivalent officer empowered to administer oaths. C. Whether the request for access is oral or in writing, the following will apply; 1. If the request is misdirected the Department official receiving it will promptly refer it to the appropriate Privacy Act Officer; the time of receipt of the request for processing purposes is the time the Privacy Act Officer receives it. 2. If the request fails to contain all the necessary information and documents, the Privacy Act Officer will inform the requester that the time of receipt for processing purposes will be the time when he provides the additional information. See Exhibit 3-6 for a sample letter that may be used for this purpose. 3. Once, in the opinion of the Privacy Act Officer, there is sufficient information to process the request, a record search procedure must be initiated. This involves contacting HUD staff(s) that maintain(s) the system(s) of records. Exhibit 3-7 contains a Record Search Information Log that may be used to retain a history of this activity. 4. The Privacy Act Officer will respond to a request within 10 working days of receipt of the request. If a response cannot be made within 10 working days, the Privacy Act Officer will notify the requester of the estimated date that a response can be made and the reason for the delay. See Exhibit 3-8 for a sample letter that may be used for 21 this purpose. 5. The requester shall not be required to state a reason or otherwise justify his request for access to a record. D. If the record is contained in a personnel file under control of the Office of Human Resources, the request can be made directly to the appropriate Personnel Officer who will act for the Privacy Act Officer in this case. 3-11 Disclosure of Requested Information to Individuals. Under the Privacy Act, an individual has access to records only if those records are within a system of records; i.e., the records are retrieved by the individual's name or other identifier. A. Upon granting access to a record in response to a request for access the Privacy Act Officer will notify the requester in writing, providing the following information: 1. The time and place where the records will be available for personal inspection, and the period of time that the records will be available for inspection; 2. A copy of the information requested if no fees are involved; 3. An indication of whether the copy will be held pending receipt of fees to cover the cost of copying documents, and the estimate of the fee for copying the record; 4. An indication that the requester may be accompanied by another individual during the period of access and the procedures required to allow that individual access to the record. See paragraph 3-11; B., 4.; 5. And, any additional requirements needed to grant access to a specific record. B. The Privacy Act Officer will also ensure that: 1. Manual record files are the source for disclosing the information and for copying purposes unless a computer printout of the record is both easily available and readable (clear English). 2. Any information or assistance that is needed to make the record intelligible will be provided at the time of access. 3. Original records will only be available under the immediate supervision of the Privacy Act Officer or his designee and that copies or abstracts may be available to 22 guarantee the security of the original record. 4. When the requester is accompanied by another person(s), the individual to whom the record pertains will authorize the presence of that other person, in writing, including the name of the individual and the record to which access is sought, sign the authorization and have the accompanying individual sign the authorization in the presence of the Privacy Act Officer (see* Exhibit 3-11 for an example of such an authorizing document). 3-12 Initial Denial of Access to Records. The Privacy Act Officer may not deny an individual access to any record pertaining to the individual except under highly selective conditions. A. Grounds for denial of access to an individual's record(s) follows: 1. The record is in a system of records which the Department has exempted from access or in a system of records exempted by another agency responsible for filing a notice on the system. The exemption status of a system of records is found in the individually published system of, records notice. 2. The record was compiled in reasonable anticipation of a civil action or proceeding. 3. The individual has unreasonably failed to comply with procedural requirements for requesting access. B. Notification of denial of a request for access must be in writing and should include the following information: 1. The Privacy Act Officer's name and title or position. 2. The date of the denial. 3. The reason(s) for the denial, including citation to the appropriate section(s) of the Act and the Departmental regulations. 4. The individual's opportunity for an administrative review of the denial through a Departmental appeal procedure, which includes a written request for review within 30 calendar days that contains copies of the original request for access, and a statement of why the denial is believed to be in error. 5. The name and address of the Departmental Privacy Appeals Officer. 23 6. If the denial is administratively final (that is, no opportunity for an appeal), then state the individuals right to judicial review, including citation of the appropriate section(s) of the Act and the Departmental regulations. This can occur when the request for access is to another agency's record in your possession which has been exempted by them under the provisions for a "General Exemption." 3-13 Appeal of Initial Denial of Access to Records. The Privacy Appeals Officer will review any initial denial of access to records only if a written request for the review is filed within 30 calendar days from the date of the notification of denial of access to the record. A. The appeal package must contain: 1. A copy of the request for access. 2. A copy of the written denial of the request for access. 3. A statement of the reasons why the initial denial is believed to be in error. 4. The individual's signature. B. The procedures and processing relating to appeal requirements are contained in Appendix D. 3-14 Request for Correction or Amendment to a Record. Any individual may submit a request to the Department for correction or amendment of a record pertaining to that individual, or to a dependent child or legal ward. Privacy Act Officers should attempt to honor oral requests whenever possible, but they may require that the request be submitted in writing. A. The request for correction or amendment should include the following information: 1. A specific identification of the record sought to be corrected or amended. 2. The specific wording to be deleted, if any. 3. The specific wording to be added, if any, and the exact place at which it is to be inserted or added. 4. A statement of the basis for the requested correction or amendment, including all available supporting documents or materials which substantiate the statement. 5. Since the request, in all cases, will follow a previous 24 request for access, the individual's identity will be established by his signature on or accompanying the request. B. Upon receipt of the request for correction or amendment to a record, the Privacy Act Officer will make a determination within 10 working days, to do one of the following: 1. Make the requested correction or amendment and notify the individual of the action taken; 2. Acknowledge receipt of the request and provide an estimate of time within which action will be taken, explaining to the requester any unusual circumstances (such as, records are in inactive storage, field facilities or other establishments; voluminous data are involved, information on other individuals