2017-00585. Privacy Act Procedures  

  • Start Preamble

    AGENCY:

    National Indian Gaming Commission, Department of the Interior.

    ACTION:

    Final rule.

    SUMMARY:

    The National Indian Gaming Commission (NIGC or the Commission) is establishing this rule in Chapter III of title 25 of the Code of Federal Regulations. This rule describes the procedures and policies adopted by the Commission pursuant to the Privacy Act of 1974. Under the Act, a Federal agency must publish notice, in the Federal Register, of any systems of records that it intends to create as well as procedures regarding the collection, maintenance, use, and dissemination of the records within those systems. The Commission previously published notice of the creation of two systems of records, namely the Indian Gaming Individuals Record System and the Management Contract Individuals Record System. The regulations set forth here update the Commission's previously published procedures and serve to streamline how the Commission processes its Privacy Act requests.

    DATES:

    Effective January 24, 2017.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Andrew Mendoza, Staff Attorney, at (202) 632-7003 or by fax (202) 632-7066 (these numbers are not toll free).

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    The Indian Gaming Regulatory Act (IGRA), Start Printed Page 8140enacted on October 17, 1988, established the National Indian Gaming Commission. Congress enacted the Privacy Act in 1974 (Public Law 93-579, 5 U.S.C. 552a). The Commission originally adopted Privacy Act procedures on January 22, 1993. Since that time, the Commission has changed the location of its headquarters office, established a new system of records, and streamlined the way it processes Privacy Act requests. On February 26, 2015, the Commission announced its intent to update its Privacy Act procedures through tribal consultation and accepted comments from the regulated community orally at several consultation sessions. The Commission also accepted written comments via the consultation process through February 23, 2016. On August 26, 2016, after reviewing those comments, the Commission published a Notice of Proposed Rulemaking, which invited additional comments from the general public. No additional comments were received during that period.

    Although no comments were received during the comment period, the Commission made two substantive changes to the proposed rule. Specifically, the Commission is lengthening the time period for appeals in Section 515.7(b) from 30 working days to 90 calendar days. One of the major reasons for updating the Commission's Privacy Act regulations was to align the procedures for processing Privacy Act requests with the Commission's processes under the Freedom of Information Act (FOIA), 5 U.S.C. 552. On June 30, 2016, President Obama signed the FOIA Improvements Act of 2016 into law. Among the many changes to the FOIA, agencies are now required to provide requesters with not less than 90 days to appeal adverse determinations made under that Act. Since the Commission processes all Privacy Act requests simultaneously under both, the FOIA and Privacy Act, the Commission decided to lengthen the amount of time for a requester to appeal an adverse determination under the Privacy Act to match the timeline established in the FOIA.

    Additionally, the Commission corrected an error in Section 515.7(c), which addresses the timeframe in which the Privacy Act Appeals Officer must respond to an appeal. In the proposed rule, the Privacy Act Appeals Officer was provided with 30 working days to respond to an appeal. While this timeframe is within the Commission's current regulations, it differs from the one set out within the Commission's FOIA regulations. Under the FOIA, an agency is required to respond to an appeal of an adverse determination within 20 working days of its receipt. To streamline the Commission's appeals procedures and synchronize the time for responses for requests that must be processed under both statutes, this section should have read 20 working days rather than 30. The provision is being adjusted accordingly.

    Executive Order 13175

    The National Indian Gaming Commission is committed to fulfilling its tribal consultation obligations—whether directed by statute or administrative action such as Executive Order (EO) 13175 (Consultation and Coordination with Indian Tribal Governments)—by adhering to the consultation framework described in its Consultation Policy published July 15, 2013. Pursuant to the Order, the Commission engaged in extensive consultation on this topic.

    One comment received through consultation requested that Section 515.10 be revised to prevent the Commission from charging fees for the first copy of a record or any portion of a record to an individual to whom the record pertains.

    The Commission disagrees and decided to keep the fee provisions as initially presented. The Privacy Act allows agencies to establish fees for duplication so long as there is no cost for searching or reviewing the record. The Commission believes that the proposed regulation appropriately places the cost of duplicating records on the requesting individual and not on the Commission or tribes who fund its operations.

    The same commenter also recommended that Section 515.11 clearly state the penalties for providing a false statement under 18 U.S.C. 494 and 495.

    The Commission disagrees. The proposed regulation identifies the relevant statutes, which lay out the penalties for providing a false statement. If the Commission were to clearly state the penalties associated with those offenses, it would also be required to change its regulations if Congress amended the penalties listed in those statutes. The Commission prefers the approach in the proposed regulations, which eliminates any need to update the provision in the future should the penalties change.

    Regulatory Flexibility Act: The Commission certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.). The factual basis for this certification is as follows: This rule is procedural in nature and will not impose substantive requirements that would be considered impacts within the scope of the Act.

    Unfunded Mandates Reform Act

    The Commission is an independent regulatory agency, and, as such, is exempt from the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.

    Takings

    In accordance with Executive Order 12630, the Commission has determined that this proposed rule does not have significant takings implications. A takings implication assessment is not required.

    Civil Justice Reform

    In accordance with Executive Order 12988, the Commission has determined that the rule does not unduly burden the judicial system and meets the requirements of sections 3(a) and 3(b)(2) of the Executive Order.

    Small Business Regulatory Enforcement Fairness Act

    The proposed rule is not a major rule under 5 U.S.C. 804(2), the Small Business Regulatory Enforcement Fairness Act. The proposed rule will not result in an annual effect on the economy of more than $100 million per year; a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of U.S. based enterprises.

    Paperwork Reduction Act

    The proposed rule does not contain any information collection requirements for which the Office of Management and Budget approval under the Paperwork Reduction Act (44 U.S.C. 3501-3520) would be required.

    National Environmental Policy Act

    The Commission has determined that the proposed rule does not constitute a major Federal Action significantly affecting the quality of the human environment and that no detailed statement is required pursuant to the National Environmental Policy Act of 1969.

    Start List of Subjects

    List of Subjects in 25 CFR Part 515

    • Administrative practice and procedure
    • Privacy
    • Reporting and recordkeeping
    End List of Subjects Start Printed Page 8141 Start Amendment Part

    For the reasons set forth in the preamble, the Commission revises part 25 CFR part 515 to read as follows:

    End Amendment Part Start Part

    PART 515—PRIVACY ACT PROCEDURES

    Sec.
    515.1
    Purpose and scope.
    515.2
    Definitions.
    515.3
    Request for access to records.
    515.4
    Responsibility for responding to requests.
    515.5
    Responses to requests for access to records.
    515.6
    Request for amendment or correction of records.
    515.7
    Appeals of initial agency adverse determination.
    515.8
    Requests for an accounting of record disclosure.
    515.9
    Notice of court-ordered and emergency disclosures.
    515.10
    Fees.
    515.11
    Penalties.
    515.12
    [Reserved]
    515.13
    Specific exemptions.
    Start Authority

    Authority: 5 U.S.C. 552a

    End Authority
    Purpose and scope.

    This part contains the regulations the National Indian Gaming Commission (Commission) follows in implementing the Privacy Act of 1974. These regulations should be read together with the Privacy Act, which provides additional information about records maintained on individuals. The regulations in this part apply to all records contained within systems of records maintained by the Commission that are retrieved by an individual's name or personal identifier. They describe the procedures by which individuals may request access to records about themselves, request amendment or correction of those records, and request an accounting of disclosures of those records by the Commission. The Commission shall also process all Privacy Act requests for access to records under the Freedom of Information Act (FOIA), 5 U.S.C. 552, and the Commission's FOIA regulations contained in 25 CFR part 517, which gives requesters maximum disclosure.

    Definitions.

    For the purposes of this subpart:

    (a) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence.

    (b) Maintain means store, collect, use, or disseminate.

    (c) Record means any item, collection, or grouping of information about an individual that is maintained by the Commission, including education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or identifying number, symbol, or other identifier assigned to the individual, such as social security number, finger or voice print, or photograph.

    (d) System of records means a group of any records under the control of the Commission from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

    (e) Routine use means use of a record for a purpose that is compatible with the purpose for which it was collected.

    (f) Working day means a Federal workday that does not include Saturdays, Sundays, or Federal holidays.

    Request for access to records.

    (a) How made and addressed. Any individual may make a request to the Commission for access to records about him or herself. Such requests shall conform to the requirements of this section. The request may be made in person at 90 K Street NE., Suite 200, Washington, DC 20002 during the hours of 9 a.m. to 12 noon and 2 p.m. to 5 p.m. Monday through Friday, in writing at NIGC Attn: Privacy Act Officer, C/O Department of the Interior, 1849 C Street NW., Mail Stop #1621, Washington, DC 20240, or via electronic mail addressed to PARequests@nigc.gov.

    (b) Description of records sought. Each request for access to records must describe the records sought in enough detail to enable Commission personnel to locate the system of records containing them with a reasonable amount of effort. Whenever possible, the request should describe the records sought, the time periods in which the records were compiled, any tribal gaming facility with which they were associated, and the name or identifying number of each system of records in which the records are kept.

    (c) Agreement to pay fees. Requests shall also include a statement indicating the maximum amount of fees the requester is willing to pay to obtain the requested information. The requester must send acknowledgment to the Privacy Act Officer indicating his/her willingness to pay the fees. Absent such an acknowledgment within the specified time frame, the request will be considered incomplete, no further work shall be done, and the request will be administratively closed.

    (d) Verification of identity. When making a request for access to records the individual seeking access must provide verification of identity. The requester must provide a full name, current address, and date and place of birth. The request must be signed and must either be notarized or submitted under 28 U.S.C. 1746, which is a law that permits statements to be made under penalty of perjury as a substitute for notarization. In order to assist in the identification and location of requested records, a request may also, at the requester's option, include a social security number.

    (e) Verification of guardianship. When making a request as a parent or guardian of a minor or as the guardian of someone determined by a court to be incompetent, for access to records about that individual, the request must establish:

    (1) The identity of the individual who is the subject of the record by stating the name, current address, date and place of birth, and, at the requester's option, the social security number of the individual;

    (2) The requester's own identity, as required in paragraph (d) of this section;

    (3) That the requester is the parent or guardian of the individual and proof of such relationship by providing a birth certificate showing parentage or a court order establishing guardianship; and

    (4) That the requester is acting on behalf of that individual in making the request.

    (f) Verification in the case of third party information requests. Any individual who desires to have a record covered by this part disclosed to or mailed to another person may designate such person and authorize such person to act as his or her agent for that specific purpose. The authorization shall be in writing, signed by the individual whose record is requested, and notarized or witnessed as provided in paragraph (d) of this section.

    (g) In-person disclosures. An individual to whom a record is to be disclosed in person, pursuant to this section, may have a person of his or her own choosing accompany him or her when the record is disclosed. If a requester is accompanied by another individual, the requester shall be required to authorize in writing any discussion of the records in the presence of the other person.

    Responsibility for responding to requests.

    (a) In general. In determining which records are responsive to a request, the Commission ordinarily will include only records in its possession as of the date it begins its search for records. If any other date is used, the Privacy Act Officer shall inform the requester of that date.

    (b) Authority to grant or deny requests. The Privacy Act Officer shall Start Printed Page 8142make initial determinations either to grant or deny in whole or in part access to records.

    (c) Consultations and referrals. When the Commission receives a request for a record in its possession, the Privacy Act Officer shall determine whether another agency of the Federal Government is better able to determine whether the record is exempt from disclosure under the Privacy Act. If the Privacy Act Officer determines that it is best able to process the record in response to the request, then it shall do so. If the Privacy Act Officer determines that it is not best able to process the record, then it shall either:

    (1) Respond to the request regarding that record, after consulting with the agency best able to determine whether to disclose it and with any other agency that has a substantial interest in it; or

    (2) Refer the responsibility for responding to the request regarding that record to the agency best able to determine whether to disclose it, or to another agency that originated the record. Ordinarily, the agency that originated a record will be presumed to be best able to determine whether to disclose it.

    (d) Notice of referral. Whenever the Privacy Act Officer refers all or any part of the responsibility for responding to a request to another agency, it ordinarily shall notify the requester of the referral and inform the requester of the name of each agency to which the request has been referred and of the part of the request that has been referred.

    Responses to requests for access to records.

    (a) Acknowledgement of requests. Upon receipt of a request, the Privacy Act Officer ordinarily shall, within 20 working days, send an acknowledgement letter which shall confirm the requester's agreement to pay fees under § 515.9 and provide an assigned request number.

    (b) Grants of requests for access. Once the Privacy Act Officer makes a determination to grant a request for access in whole or in part, it shall notify the requester in writing. The notice shall inform the requester of any fee charged under § 515.9 of this part and the Privacy Act Officer shall disclose records to the requester promptly on payment of any applicable fee. If a request is made in person, the Privacy Act Officer will disclose the records to the requester directly, in a manner not unreasonably disruptive of its operations, on payment of any applicable fee and with a written record made of the grant of the request. If a requester is accompanied by another individual, the requester shall be required to authorize in writing any discussion of the records in the presence of the other person.

    (c) Adverse determinations of requests for access. If the Privacy Act Officer makes any adverse determination denying a request for access in any respect, it shall notify the requester of that determination in writing. The notification letter shall be signed by the official making the determination and include:

    (1) The name and title of the person responsible for the denial;

    (2) A brief statement of the reason(s) for the denial, including any Privacy Act exemption(s) applied to the denial;

    (3) A statement that the denial may be appealed under § 515.7 and a description of the requirements of § 515.7.

    Request for amendment or correction of records.

    (a) How made and addressed. An individual may make a request for an amendment or correction to a Commission record about that individual by writing directly to the Privacy Act Officer, following the procedures in § 515.3. The request should identify each particular record in question, state the amendment or correction that is sought, and state why the record is not accurate, relevant, timely, or complete. The request may include any documentation that would be helpful to substantiate the reasons for the amendment sought.

    (b) Privacy Act Officer response. The Privacy Act Officer shall, not later than 10 working days after receipt of a request for an amendment or correction of a record, acknowledge receipt of the request and provide notification of whether the request is granted or denied. If the request is granted in whole or in part, the Privacy Act Officer shall describe the amendment or correction made and shall advise the requester of the right to obtain a copy of the amended or corrected record. If the request is denied in whole or in part, the Privacy Act Officer shall send a letter signed by the denying official stating:

    (1) The reason(s) for the denial; and

    (2) The procedure for appeal of the denial under paragraph (c) of this section.

    (c) Appeals. A requester may appeal a denial of a request for amendment or correction in the same manner as a denial of a request for access as described in § 515.7. If the appeal is denied, the requester shall be advised of the right to file a Statement of Disagreement as described in paragraph (d) of this section and of the right under the Privacy Act for judicial review of the decision.

    (d) Statements of Disagreement. If the appeal under this section is denied in whole or in part, the requester has the right to file a Statement of Disagreement that states the reason(s) for disagreeing with the Privacy Act Officer's denial of the request for amendment or correction. Statements of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. The Statement of Disagreement shall be placed in the system of records in which the disputed record is maintained and the record shall be marked to indicate a Statement of Disagreement has been filed.

    (e) Notification of amendment, correction, or disagreement. Within 30 working days of the amendment or correction of the record, the Privacy Act Officer shall notify all persons, organizations, or agencies to which it previously disclosed the record, and if an accounting of that disclosure was made, that the record has been amended or corrected. If a Statement of Disagreement was filed, the Commission shall append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request to amend the record.

    (f) Records not subject to amendment. Section 515.13 lists the records that are exempt from amendment or correction.

    Appeals of initial adverse agency determination.

    (a) Adverse determination. An initial adverse agency determination of a request may consist of: A determination to withhold any requested record in whole or in part; a determination that a requested record does not exist or cannot be located; a determination that the requested record is not a record subject to the Privacy Act; a determination that a record will not be amended; a determination to deny a request for an accounting; a determination on any disputed fee matter; and any associated denial of a request for expedited treatment under the Commission's FOIA regulations.

    (b) Appeals. If the Privacy Act Officer issues an adverse determination in response to a request, the requester may file a written notice of appeal. The notice shall be accompanied by the original request, the initial adverse determination that is being appealed, and a statement describing why the adverse determination was in error. The appeal shall be addressed to the Privacy Start Printed Page 8143Act Appeals Officer at the locations listed in § 515.3 of this part no later than 90 calendar days after the date of the letter denying the request. Both the appeal letter and envelope should be marked “Privacy Act Appeal.” Any Privacy Act appeals submitted via electronic mail should state “Privacy Act Appeal” in the subject line.

    (c) Responses to appeals. The decision on appeal will be made in writing within 20 working days of receipt of the notice of appeal by the Privacy Act Appeals Officer. For good cause shown, however, the Privacy Act Appeals Officer may extend the 30 working day period. If such an extension is taken, the requester shall be promptly notified of such extension and the anticipated date of decision. A decision affirming an adverse determination in whole or in part will include a brief statement of the reason(s) for the determination, including any Privacy Act exemption(s) applied. If the adverse determination is reversed or modified in whole or in part, the requester will be notified in a written decision and the request will be reprocessed in accordance with that appeal decision. The response to the appeal shall also advise of the right to institute a civil action in a Federal district court for judicial review of the decision.

    (d) When appeal is required. In order to institute a civil action in a federal district court for judicial review of an adverse determination, a requester must first appeal it under this section.

    Requests for an accounting of record disclosure.

    (a) How made and addressed. Subject to the exceptions listed in paragraph (b) of this section, an individual may make a request for an accounting of the disclosures of any record about that individual that the Commission has made to another person, organization, or agency. The accounting contains the date, nature and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. The request for an accounting should identify each particular record in question and should be made in writing to the Commission's Privacy Act Officer, following the procedures in § 515.3.

    (b) Where accountings are not required. The Commission is not required to provide an accounting where they relate to:

    (1) Disclosures for which accountings are not required to be kept, such as those that are made to employees of the Commission who have a need for the record in the performance of their duties and disclosures that are made under section 552 of title 5;

    (2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which the disclosures are sought; or

    (3) Disclosures made from law enforcement systems of records that have been exempted from accounting requirements.

    (c) Appeals. A requester may appeal a denial of a request for an accounting in the same manner as a denial of a request for access as described in § 515.7 of this part and the same procedures will be followed.

    (d) Preservation of accountings. All accountings made under this section will be retained for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made.

    Notice of court-ordered and emergency disclosures.

    (a) Court-ordered disclosures. When a record pertaining to an individual is required to be disclosed by a court order, the Privacy Act Officer shall make reasonable efforts to provide notice of this to the individual. Notice shall be given within a reasonable time after the Privacy Act Officer's receipt of the order—except that in a case in which the order is not a matter of public record, the notice shall be given only after the order becomes public. This notice shall be mailed to the individual's last known address and shall contain a copy of the order and a description of the information disclosed. Notice shall not be given if disclosure is made from a criminal law enforcement system of records that has been exempted from the notice requirement.

    (b) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting health or safety, the Privacy Act Officer shall, within a reasonable time, notify that individual of the disclosure. This notice shall be mailed to the individual's last known address and shall state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying disclosure.

    Fees.

    The Commission shall charge fees for duplication of records under the Privacy Act in the same way in which it charges duplication fees under § 517.9 of this part. No search or review fee may be charged for any record. Additionally, when the Privacy Act Officer makes a copy of a record as a necessary part of reviewing the record or granting access to the record, the Commission shall not charge for the cost of making that copy. Otherwise, the Commission may charge a fee sufficient to cover the cost of duplicating a record.

    Penalties.

    Any person who makes a false statement in connection with any request for access to a record, or an amendment thereto, under this part, is subject to the penalties prescribed in 18 U.S.C. 494 and 495.

    [Reserved]
    Specific exemptions.

    (a) The following systems of records are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1) and (f):

    (1) Indian Gaming Individuals Records System.

    (2) Management Contract Individuals Record System.

    (b) The exemptions under paragraph (a) of this section apply only to the extent that information in these systems is subject to exemption under 5 U.S.C. 552a(k)(2). When compliance would not appear to interfere with or adversely affect the overall responsibilities of the Commission, with respect to licensing of key employees and primary management officials for employment in an Indian gaming operation or verifying the suitability of an individual who has a financial interest in, or management responsibility for a management contract, the applicable exemption may be waived by the Commission.

    (c) Exemptions from the particular sections are justified for the following reasons:

    (1) From 5 U.S.C. 552a(c)(3), because making available the accounting of disclosures to an individual who is the subject of a record could reveal investigative interest. This would permit the individual to take measures to destroy evidence, intimidate potential witnesses, or flee the area to avoid the investigation.

    (2) From 5 U.S.C. 552a(d), (e)(1), and (f) concerning individual access to records, when such access could compromise classified information related to national security, interfere with a pending investigation or internal inquiry, constitute an unwarranted invasion of privacy, reveal a sensitive investigative technique, or pose a potential threat to the Commission or its employees or to law enforcement personnel. Additionally, access could Start Printed Page 8144reveal the identity of a source who provided information under an express promise of confidentiality.

    (3) From 5 U.S.C. 552a(d)(2), because to require the Commission to amend information thought to be incorrect, irrelevant, or untimely, because of the nature of the information collected and the length of time it is maintained, would create an impossible administrative and investigative burden by continually forcing the Commission to resolve questions of accuracy, relevance, timeliness, and completeness.

    (4) From 5 U.S.C. 552a(e)(1) because:

    (i) It is not always possible to determine relevance or necessity of specific information in the early stages of an investigation.

    (ii) Relevance and necessity are matters of judgment and timing in that what appears relevant and necessary when collected may be deemed unnecessary later. Only after information is assessed can its relevance and necessity be established.

    (iii) In any investigation the Commission may receive information concerning violations of law under the jurisdiction of another agency. In the interest of effective law enforcement and under 25 U.S.C. 2716(b), the information could be relevant to an investigation by the Commission.

    (iv) In the interviewing of individuals or obtaining evidence in other ways during an investigation, the Commission could obtain information that may or may not appear relevant at any given time; however, the information could be relevant to another investigation by the Commission.

    Start Signature

    Dated: December 30, 2016.

    Jonodev Chaudhuri,

    Chairman.

    Kathryn Isom-Clause,

    Vice-Chair.

    Sequoyah Simermeyer,

    Commissioner.

    End Signature End Part End Supplemental Information

    [FR Doc. 2017-00585 Filed 1-23-17; 8:45 am]

    BILLING CODE 7565-01-P