Code of Federal Regulations (Last Updated: November 8, 2024) |
Title 31 - Money and Finance: Treasury |
Subtitle A - Office of the Secretary of the Treasury |
Part 1 - Disclosure of Records |
Subpart C - Privacy Act |
§ 1.23 - Publication in the Federal Register - Notices of systems of records, general exemptions, specific exemptions, review of all systems.
-
§ 1.23 Publication in the Federal Register - Notices of systems of records, general exemptions, specific exemptions, review of all systems.
(a) Notices of systems of records to be published in the Federal Register.
(1) The Department shall publish a notice Office of the existence and character of all systems of records every 3 years in the Federal Register. An annual notice of systems of records is required to be published by the Office of the Federal Register in the publication entitled “Privacy Act Issuances”Federal Register publishes a biennial compilation of all system notices (“Privacy Act Issuances”), as specified in 5 U.S.C. 552a(f).
(3)(2) Minor changes to systems of records shall be published annually. (See paragraph (d)(8) of this section)
In the interim (between biennial compilations), the Department must list and provide links on its website to complete, up-to-date versions of all Treasury system of records notices (SORNs), including citations and links to all Federal Register notices that reflect substantial modifications to each SORN.
shall(2) In addition, the Department
shallmust publish in the Federal Register upon establishment or significant revision a notice of the existence and character of any new or significantly revised systems of records. Unless otherwise instructed, each notice
iiimust include:
(i) The system name and number, and location of the system;
(ii) The title and business address of the Treasury official who is responsible for the system of records;
(iii) Security classification, and indication of whether any information in the system is classified;
(iv) Authority for maintenance of the system, the specific authority that authorizes the maintenance of the records in the system;
(v) Purpose(s) of the system, a description of the purpose(s) for maintaining the system;
(vi) The categories of individuals on whom records are maintained in the system;
(
iv) Each routine usevii) The categories of records maintained in the system;
(
v)viii) The categories of sources of records in the system (see 5 U.S.C. 552a(e)(4));
(ix) Each routine uses of the records contained in the system, including the categories of users and the purpose of such use;
(
vix)-(xix) [Reserved]
(xx) The policies and practices of the component regarding storage, retrievability, access controls, retention, and disposal of the records;
(
title and business address of the Treasury official who is responsible for the system of records; (vii) Thexxi) The
containprocedures of the component whereby an individual can be notified if the system of records
.contains a record pertaining to the individual, including reasonable times, places, and identification requirements
viii;
(
andxxii) The procedures of the component whereby an individual can be notified on how to gain access to any record pertaining to such individual that may be contained in the system of records, and how to contest its content;
ix) The categories of sources of records in the system. (See 5 U.S.C. 552a(e)(4))(
xxiii) Exemptions promulgated for the system; and
(xxiv) History (any previously published notices).
(b) Notice of new or modified routine uses to be published in the Federal Register. At least 30 days prior to a new use or modification of a routine use, as published under paragraph (a)(3)(iv) of this section, each component shall Treasury must publish in the Federal Register notice of such new or modified use of the information in the system and provide an opportunity allow for interested persons to submit written data, views, or arguments to the components. (See 5 U.S.C. 552a(e)(11).)
(c) Promulgation of rules exempting systems from certain requirements -
(1) General exemptions. In accordance with existing procedures applicable to a Treasury component's issuance of regulations, the head of each such component may adopt rules, in accordance with the requirements (including general notice) of 5 U.S.C. 553(b)(1), (2), and (3), (c) and (e), to exempt any system of records within the component from any part of 5 U.S.C. 552a and these regulations the Privacy Act and the regulations in this subpart except subsections (b) (sec. § 1.24, conditions of disclosure), (c)(1) (sec. § 1.25, keep accurate accounting of disclosures), (c)(2) (sec. § 1.25, retain accounting for five years or life of record), (e)(4)(A) through (F) (paragraph (a) of this section, publication of annual notice of systems of records), (e)(6) (sec. § 1.22(d), accuracy of records prior to dissemination), (e)(7) (sec. § 1.22(e), maintenance of records on First Amendment rights), (e)(9) (sec. § 1.28, establish rules of conduct), (e)(10) (sec. § 1.22(d)(3), establish safeguards for records), (e)(11) (paragraph (c) of this section, publish new intended use), and (i) (sec. § 1.28(c), criminal penalties) if the systems of records maintained by the component which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of:
(i) Information compiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole, and probation status;
(ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or
(iii) Reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. (See 5 U.S.C. 552a(j).)
(2) Specific exemptions. In accordance with existing procedures applicable to a Treasury component's issuance of regulations, the head of each such component may adopt rules, in accordance with the requirements (including general notice) of 5 U.S.C. 553(b)(1), (2), and (3), (c), and (e), to exempt any system of records within the component from 5 U.S.C. 552a(c)(3) (sec. § 1.25(c)(2), accounting of certain disclosures available to the individual), (d) (sec. § 1.26(a), access to records), (e)(1) (sec. § 1.22(a)(1), maintenance of information to accomplish purposes authorized by statute or executive order only), (e)(4)(G) (paragraph (a)(7) of this section, publication of procedures for notification), (e)(4)(H) (paragraph (a)(8) of this section, publication of procedures for access and contest), (e)(4)(I) (paragraph (a)(9) of this section, publication of sources of records), and (f) (sec. § 1.26, promulgate rules for notification, access and contest), if the system of records is:
(i) Subject to the provisions of 5 U.S.C. 552(b)(1);
(ii) Investigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of 5 U.S.C. 552a the Privacy Act and paragraph (a)(1) of this section. If any individual is denied any right, privilege, or benefit that such individual would otherwise be entitled to by Federal law, or for which such individual would otherwise be eligible, as a result of the maintenance of this material, provide such material shall be provided to the individual, except to the extent that the disclosure of the material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence;
(iii) Maintained in connection with providing protective services to the President of the United States or other individuals pursuant to 18 U.S.C. 3056;
(iv) Required by statute to be maintained and used solely as statistical records;
(v) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence;
(vi) Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process; or
(vii) Evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence.
(3) At the time that rules under this subsection are adopted, Reasons for exemptions. As of November 21, 2022, the head of the component shall must include in the statement required under 5 U.S.C. 553(c) the reasons why the system of records is to be exempted from a provision of 5 U.S.C. 552a the Privacy Act and this part. (See 5 U.S.C. 552a(j) and (k).)
(d) Review and report to the Office of Management and Budget (OMB). The Department shall must ensure that the following reviews are conducted as often as specified below by each of the components who shall be prepared to report to the Departmental Disclosure Branch upon request the results of such reviews and any corrective action taken to resolve problems uncovered. Each component shall:
(1) Review every two years a random sample of the component's contracts that provide for the maintenance of a system of records on behalf of the component to accomplish a function of the component, in order to ensure that the working of each contract makes the provisions of the Act apply. (5 U.S.C. 552a(m)(1))
(3) Review routine use disclosures every 3 years, that are associated with each system of records in order to ensure that(2) Review annually component's recordkeeping and disposal policies and practices in order to assure compliance with the Act.
:
(1) The Data Integrity Board must conduct a review of all matching programs in which the Department has participated during the calendar year and report to OMB of the following year.
such(2) Each component must perform the following reviews with a frequency sufficient to ensure compliance and manage risks:
(i) Review the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information and ensure that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees consistent with the agency's authority;
(ii) Ensure that all routine uses remain appropriate and that the recipient's use of
disclosing agency originally collected the information.the records continues to be compatible with the purpose for which the
(4) Review every three years each system of records for which the component has issued exemption rules pursuant to section (j) or (k) of the Privacy Act in order to determine whether the exemption is needed.
(5) Review annually each ongoing matching program in which the component has participated during the year, either as a source or as a matching agency in order to assure that the requirements of the Act, the OMB Matching Guidelines, and the OMB Model Control System and checklist have been met.
(6) Review component's training practices annually to ensure that all component personnel are familiar with the requirements of the Act, these regulations and Departmental directives.
(8) Review annually each system of records notice to ensure that it accurately describes the system. Where minor changes are needed, publish an amended notice in the Federal Register. Minor changes shall be consolidated in one annual comprehensive publication. The term “minor change to a system of records” means a change that does not significantly change the system. More specifically, a minor change does not affect the character or purpose of the system and does not affect the ability of an individual to gain access to a record about the individual or to any information pertaining to such individual which is contained in the system; for example, changing the title of the system manager or the location of the system(7) Review annually the actions of component personnel that have resulted either in the agency being found civilly liable under section (g) of the Act, or an employee being found criminally liable under the provisions of section (i) of the Act, in order to determine the extent of the problem and to prevent future recurrences.
information was collected;
(iii) Ensure that each exemption claimed for a system of records pursuant to 5 U.S.C. 552a(j) and (k) remains appropriate and necessary;
(iv) Ensure Departmental and component training practices are sufficient and that personnel understand the requirements of the Privacy Act, OMB guidance, the agency's implementing regulations and policies, and any job-specific requirements;
(v) Review all component SORNs as needed to ensure they remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress; and
(vi) Be prepared to report to the Office of Privacy, Transparency, & Records, as part of the annual Federal Information Security Management Act (FISMA), as amended by the Federal Information Security Modernization Act of 2014, Public Law 113-283, reporting process, the results of the reviews conducted as required by this section, including any corrective action taken to resolve problems uncovered.