2016-30495. Privacy Act Policies and Procedures  

  • Start Preamble

    AGENCY:

    Office of the United States Trade Representative.

    ACTION:

    Proposed rule.

    SUMMARY:

    As part of a comprehensive review of agency practices related to the disclosure of records and information, the Office of the United States Trade Representative (USTR) is updating both its systems of records and implementing rule under the Privacy Act of 1974 (Privacy Act). This proposed rule describes how individuals can find out if a USTR system of records contains information about them and, if so, how to access or amend a record. The proposed rule would move the Privacy Act regulation from part 2005 into a new subpart C to part 2004. USTR previously renamed and reorganized part 2004 to include all of the rules governing disclosure of USTR records and information. Elsewhere in this issue of the Federal Register, USTR is publishing a notice concerning updates to its Privacy Act systems of records.

    DATES:

    We must receive your written comments on or before January 23, 2017.

    ADDRESSES:

    You should submit written comments through the Federal eRulemaking Portal: http://www.regulations.gov. The docket number for this rulemaking is USTR-2016-0027. USTR invites comments on all aspects of the proposed rule, and will revise the language as appropriate after taking all timely comments into consideration. Copies of all comments will be available for public viewing at www.regulations.gov upon completion of processing. You can view a submission by entering the docket number USTR-2016-0027 in the search field at http://www.regulations.gov. We will post comments without change and will include any personal information you provide, such as your name, mailing address, email address, and telephone number.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Janice Kaye, Monique Ricker or Melissa Keppel, Office of General Counsel, Office of the US Trade Representative, Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington DC 20509, jkaye@ustr.eop.gov; mricker@ustr.eop.gov; mkeppel@ustr.eop.gov; 202-395-3150.

    End Further Info End Preamble Start Supplemental Information Start Printed Page 93858

    SUPPLEMENTARY INFORMATION:

    I. Background

    USTR has undertaken a comprehensive review of agency practices related to the collection, use, protection and disclosure of USTR records and information. As a result of that review, USTR is updating both its Privacy Act systems of records and implementing rule. The Privacy Act, 5 U.S.C. 552a, balances the Federal Government's need to maintain information about individuals while protecting individuals against unwarranted invasions of privacy stemming from Federal agencies' collection, maintenance, use, security and disclosure of personal information about them that is contained in systems of records. The Privacy Act requires each Federal agency to publish regulations describing its Privacy Act procedures and any system of records it exempts from provisions of the Privacy Act, including the reasons for the exemption.

    USTR's current Privacy Act rule, codified at 15 CFR part 2005, was last revised in 1975. See 40 FR 48331, Oct. 14, 1975. Due to the passage of time, we are completely rewriting and updating the rule. We are reserving part 2005, the rule's current codification, and moving the revised rule into a new subpart C to part 2004. Part 2004 includes four subparts containing all of the rules governing disclosure of USTR records and information.

    Elsewhere in this issue of the Federal Register, USTR is publishing a notice updating the agency's Privacy Act systems of records.

    II. Section-by-Section Analysis

    Section 2004.20—Definitions: This section sets forth definitions of select terms used in this subpart.

    Section 2004.21—Purpose and scope: This section describes the purpose of the regulation, which is to implement the Privacy Act, and explains general policies and procedures for individuals requesting access to records, requesting amendments or corrections to records, and requesting an accounting of disclosures of records.

    Section 2004.22—How to make a Privacy Act request: This section explains what an individual must do to submit a valid request to USTR for access to records, to amend or correct records, or for an accounting of disclosures of records. It also describes the information an individual must provide so USTR can identify the records sought and determine whether the request can be granted.

    Section 2004.23—How USTR will respond to a Privacy Act request: This section describes the period of time within which USTR will respond to requests. It also explains that USTR will grant or deny requests in writing, provide reasons if a request is denied in whole or in part, and explain the right of appeal.

    Section 2004.24—What requesters can do if they are dissatisfied with USTR's response to a Privacy Act request: This section describes when and how an individual may appeal a determination on a Privacy Act request and how and within what period of time USTR will make a determination on an appeal.

    Section 2004.25—Fees: This section explains that requesters are required to pay fees for the duplication of requested records.

    Section 2004.26—Exemptions: This section explains that certain exemptions from the Privacy Act exist, explains how those exemptions are made effective, what the effect of an exemption is, and how to determine whether an exemption applies.

    Section 2004.27—How records are secured: This section explains how we generally protect records under the Privacy Act.

    Section 2004.28—Use and collection of Social Security numbers: This section explains that USTR collects Social Security numbers only when authorized to do so and describes the conditions under which USTR may collect and use Social Security numbers.

    Section 2004.29—USTR employee responsibilities under the Privacy Act: This section lists the responsibilities of USTR employees under the Privacy Act.

    III. Regulatory Flexibility Act

    USTR has considered the impact of the proposed regulation and determined that if adopted as a final rule it is not likely to have a significant economic impact on a substantial number of small business entities because it is applicable only to USTR's internal operations and legal obligations. See 5 U.S.C. 601 et seq.

    IV. Paperwork Reduction Act

    The proposed rule does not contain any information collection requirement that requires the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. 3501 et seq.).

    Start List of Subjects

    List of Subjects

    15 CFR Part 2004

    • Administrative practice and procedure
    • Courts
    • Disclosure
    • Exemptions
    • Freedom of information
    • Government employees
    • Privacy
    • Records
    • Subpoenas
    • Testimony

    15 CFR Part 2005

    • Privacy
    End List of Subjects

    For the reasons stated in the preamble, the Office of the United States Trade Representative is proposing to amend chapter XX of title 15 of the Code of Federal Regulations as follows:

    Start Part

    PART 2004—DISCLOSURE OF RECORDS AND INFORMATION

    End Part Start Amendment Part

    1. Add subpart C, consisting of §§ 2004.20 through 2004.29 to read as follows:

    End Amendment Part
    Subpart C—Privacy Act Policies and Procedures
    2004.20
    Definitions.
    2004.21
    Purpose and scope.
    2004.22
    How do I make a Privacy Act request?
    2004.23
    How will USTR respond to my Privacy Act request?
    2004.24
    What can I do if I am dissatisfied with USTR's response to my Privacy Act request?
    2004.25
    What does it cost to get records under the Privacy Act?
    2004.26
    Are there any exemptions from the Privacy Act?
    2004.27
    How are records secured?
    2004.28
    Use and collection of Social Security numbers.
    2004.29
    USTR employee responsibilities under the Privacy Act.
    Start Authority

    Authority: 5 U.S.C. 552a; 19 U.S.C. 2171(e)(3).

    End Authority

    Subpart C—Privacy Act Policies and Procedures

    Definitions.

    For purposes of this subpart:

    Access means making a record available to a subject individual.

    Amendment means any correction, addition to or deletion of information in a record.

    Individual means a natural person who either is a citizen of the United States or an alien lawfully admitted to the United States for permanent residence.

    Maintain means to keep or hold and preserve in an existing state, and includes the terms collect, use, disseminate and control.

    Privacy Act Office means the USTR officials who are authorized to respond to requests and to process requests for amendment of records USTR maintains under the Privacy Act.

    Record means any item, collection or grouping of information about an individual that USTR maintains within a system of records and contains the individual's name or the identifying Start Printed Page 93859number, symbol or other identifying particular assigned to the individual, such as a finger or voice print or photograph.

    System of records means a group of records USTR maintains or controls from which information is retrieved by the name of an individual or by some identifying number, symbol or other identifying particular assigned to the individual. USTR publishes notices in the Federal Register announcing the creation, deletion or amendment of its systems of records. You can find a description of our systems of records on the USTR Web site: www.ustr.gov.

    Purpose and scope.

    (a) This subpart implements the Privacy Act, 5 U.S.C. 552a, a Federal law that requires Federal agencies to protect private information about individuals that the agencies collect or maintain. It establishes USTR's rules for access to records in systems of records we maintain that are retrieved by an individual's name or another personal identifier. It describes the procedures by which individuals may request access to records, request amendment or correction of those records, and request an accounting of disclosures of those records by USTR. Whenever it is appropriate to do so, USTR automatically processes a Privacy Act request for access to records under both the Privacy Act and the FOIA, following the rules contained in this subpart and subpart B of part 2004. USTR processes a request under both the Privacy Act and the FOIA so you will receive the maximum amount of information available to you by law.

    (b) This subpart does not entitle you to any service or to the disclosure of any record to which you are not entitled under the Privacy Act. It also does not, and may not be relied upon to create any substantive or procedural right or benefit enforceable against USTR.

    How do I make a Privacy Act request?

    (a) In general. You can make a Privacy Act request on your own behalf for records or information about you. You also can make a request on behalf of another individual as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent. You may request access to another individual's record or information if you have that individual's written consent, unless other conditions of disclosure apply.

    (b) How do I make a request? - (1) Where do I send my written request? To make a request for access to a record, you should write directly to our Privacy Act Office. Heightened security delays mail delivery. To avoid mail delivery delays, we strongly suggest that you email your request to PRIVACY@ustr.eop.gov. Our mailing address is: Privacy Act Office, Office of the US Trade Representative, Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington DC 20509. To make sure that the Privacy Act Office receives your request without delay, you should include the notation `Privacy Act Request' in the subject line of your email or on the front of your envelope and also at the beginning of your request.

    (2) Security concerns. To protect our computer systems, we will not open attachments to emailed requests—you must include your request within the body of the email. We will not process email attachments.

    (c) What should my request include? You must describe the record that you seek in enough detail to enable the Privacy Act Office to locate the system of records containing the record with a reasonable amount of effort. Include specific information about each record sought, such as the time period in which you believe it was compiled, the name or identifying number of each system of records in which you believe it is kept, and the date, title or name, author, recipient, or subject matter of the record. As a general rule, the more specific you are about the record that you seek, the more likely we will be able to locate it in response to your request.

    (d) How do I request amendment or correction of a record? If you are requesting an amendment or correction of a USTR record, you must identify each particular record in question and the system of records in which the record is located, describe the amendment or correction that you seek, and state why you believe that the record is not accurate, relevant, timely or complete. You may submit any documentation that you think would be helpful, including an annotated copy of the record.

    (e) How do I request an accounting of record disclosures? If you are requesting an accounting of disclosures made by USTR to another person, organization or Federal agency, you must identify each particular record in question. An accounting generally includes the date, nature and purpose of each disclosure, as well as the name and address of the person, organization, or Federal agency to which the disclosure was made.

    (f) Verification of identity. When making a Privacy Act request, you must verify your identity in accordance with these procedures to protect your privacy or the privacy of the individual on whose behalf you are acting. If you make a Privacy Act request and you do not follow these identity verification procedures, USTR cannot process your request.

    (1) How do I verify my own identity? You must state your full name, current address, and date and place of birth. In order to help identify and locate the records, you also may, at your option, include your Social Security number. To verify your own identity, you must provide an unsworn declaration under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury. To fulfill this requirement, you must include the following statement just before the signature on your request:

    I declare under penalty of perjury that the foregoing is true and correct. Executed on [date].

    (2) How do I verify parentage or guardianship? If you make a request as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent, for access records or information about that individual, you must establish:

    (i) The identity of the individual who is the subject of the record, by stating the individual's name, current address and date and place of birth, and, at your option, the Social Security number of the individual;

    (ii) Your own identity, as required in paragraph (f)(1) of this section;

    (iii) That you are the parent or guardian of the individual, which you may prove by providing a copy of the individual's birth certificate showing your parentage or a court order establishing your guardianship; and

    (iv) That you are acting on behalf of the individual in making the request.

    How will USTR respond to my Privacy Act request?

    (a) When will we respond to your request? We will search to determine if the requested records exist in a system of records USTR owns or controls. The Privacy Act Office will respond to you in writing within twenty days after we receive your request, if it meets the requirements of this subpart. We may extend the response time in unusual circumstances, such as the need to consult with another agency about a record or to retrieve a record shipped offsite for storage.

    (b) What will our response include? Our written response will include our determination whether to grant or deny your request in whole or in part, a brief explanation of the reasons for the determination, and the amount of the fee charged, if any, under § 2004.25. If Start Printed Page 93860you requested access to records, we will make the records, if any, available to you. If you requested amendment or correction of a record, the response will describe any amendments or corrections made and advise you of your right to obtain a copy of the amended or corrected record.

    (c) Adverse determinations—(1) What is an adverse determination? An adverse determination is a response to a Privacy Act request that:

    (i) Withholds any requested record in whole or in part;

    (ii) Denies a request to amend or correct a record in whole or in part;

    (iii) Declines to provide an accounting of disclosures;

    (iv) Advises that a requested record does not exist or cannot be located;

    (v) Finds that what you requested is not a record subject to the Privacy Act; or

    (vi) Advises on any disputed fee matter.

    (2) Responses that include an adverse determination. If the Privacy Act Office makes an adverse determination with respect to your request, our written response will identify the person responsible for the adverse determination, that the adverse determination is not a final agency action, and that you may appeal the adverse determination under § 2004.24.

    What can I do if I am dissatisfied with USTR's response to my Privacy Act request?

    (a) What can I appeal? You can appeal any adverse determination in writing to our Privacy Act Appeals Committee within thirty calendar days after the date of our response. We provide a list of adverse determinations in § 2004.23(c).

    (b) How do I make an appeal?—(1) What should I include? You may appeal by submitting a written statement giving the reasons why you believe the Committee should overturn the adverse determination. Your written appeal may include as much or as little related information as you wish to provide, as long as it clearly identifies the determination (including the request number, if known) that you are appealing.

    (2) Where do I send my appeal? You should mark both your letter and the envelope, or the subject of your email, “Privacy Act Appeal”. To avoid mail delivery delays caused by heightened security, we strongly suggest that you email any appeal to PRIVACY@ustr.eop.gov. Our mailing address is: Privacy Office, Office of the US Trade Representative, Anacostia Naval Annex, Building 410/Door 123, 250 Murray Lane SW., Washington DC 20509.

    (c) Who will decide your appeal? (1) The Privacy Act Appeals Committee or designee will act on all appeals under this section.

    (2) We ordinarily will not adjudicate an appeal if the request becomes a matter of litigation.

    (3) On receipt of any appeal involving classified information, the Privacy Act Appeals Committee must take appropriate action to ensure compliance with applicable classification rules.

    (d) When will we respond to your appeal? The Privacy Act Appeals Committee will notify you of its appeal decision in writing within thirty days from the date it receives an appeal that meets the requirements of paragraph (b) of this section. We may extend the response time in unusual circumstances, such as the need to consult with another agency about a record or to retrieve a record shipped offsite for storage.

    (e) What will our response include? The written response will include the Committee's determination whether to grant or deny your appeal in whole or in part, a brief explanation of the reasons for the determination, and information about the Privacy Act provisions for court review of the determination.

    (1) Appeals concerning access to records. If your appeal concerns a request for access to records and the appeal is granted in whole or in part, we will make the records, if any, available to you.

    (2) Appeals concerning amendments or corrections. If your appeal concerns amendment or correction of a record, the response will describe any amendment or correction made and advise you of your right to obtain a copy of the amended or corrected record. We will notify all persons, organizations or Federal agencies to which we previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. Whenever the record is subsequently disclosed, the record will be disclosed as amended or corrected. If our response denies your request for an amendment or correction to a record, we will advise you of your right to file a statement of disagreement under paragraph (f) of this section.

    (f) Statements of disagreement—(1) What is a statement of disagreement? A statement of disagreement is a concise written statement in which you clearly identify each part of any record that you dispute and explain your reason(s) for disagreeing with our denial in whole or in part of your appeal requesting amendment or correction.

    (2) How do I file a statement of disagreement? We must receive your statement of disagreement within thirty calendar days of our denial in whole or in part of your appeal concerning amendment or correction of a record.

    (3) What will we do with your statement of disagreement? We will place your statement of disagreement in the system(s) of records in which the disputed record is maintained. We also may append a concise statement of our reason(s) for denying the request to amend or correct the record. Whenever the record is subsequently disclosed, the record will be disclosed along with your statement of disagreement and our explanation, if any.

    (g) When appeal is required. Before seeking review by a court of an adverse determination or denial of a request, you generally first must submit a timely administrative appeal under this section.

    What does it cost to get records under the Privacy Act?

    (a) Your request is an agreement to pay fees. We consider your Privacy Act request as your agreement to pay all applicable fees unless you specify a limit on the amount of fees you agree to pay. We will not exceed the specified limit without your written agreement.

    (b) How do we calculate fees? We will charge a fee for duplication of a record under the Privacy Act in the same way we charge for duplication of records under the FOIA in § 2004.9. There are no fees to search for or review records requested under the Privacy Act.

    Are there any exemptions from the Privacy Act?

    (a) What is a Privacy Act exemption? The Privacy Act authorizes USTR to exempt records or information in a system of records from some of the Privacy Act requirements, if we determine that the exemption is necessary. With the exception of certain law enforcement records, we will not provide you with an accounting of disclosures or make available to you records that are exempt.

    (b) How do I know if the records or information I want are exempt? Each USTR system of records notice will advise you if we have determined that records or information in records are exempt from Privacy Act requirements. If we have claimed an exemption for a system of records, the system of records notice will identify the exemption and the provisions of the Privacy Act from which the system is exempt.

    How are records secured?

    (a) Controls. USTR must establish administrative and physical controls to Start Printed Page 93861prevent unauthorized access to its systems of records, unauthorized or inadvertent disclosure of records, and physical damage to or destruction of records. The stringency of these controls corresponds to the sensitivity of the records that the controls protect. At a minimum, the administrative and physical controls must ensure that:

    (1) Records are protected from public view;

    (2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them;

    (3) Records are inaccessible to unauthorized persons outside of business hours; and

    (4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form.

    (b) Limited access. Access to records is restricted only to individuals who require access in order to perform their official duties.

    Use and collection of Social Security numbers.

    We will collect Social Security numbers only when it is necessary and we are authorized to do so. At least annually, the Privacy Act Office will inform employees who are authorized to collect information that:

    (a) Individuals may not be denied any right, benefit or privilege as a result of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and

    (b) They must inform individuals who are asked to provide their Social Security numbers:

    (1) If providing a Social Security number is mandatory or voluntary;

    (2) If any statutory or regulatory authority authorizes collection of a Social Security number; and

    (3) The uses that will be made of the Social Security number.

    Employee responsibilities under the Privacy Act.

    At least annually, the Privacy Act Office will inform employees about the provisions of the Privacy Act, including the Act's civil liability and criminal penalty provisions. Unless otherwise permitted by law, a USTR employee must:

    (a) Collect from individuals only information that is relevant and necessary to discharge USTR's responsibilities.

    (b) Collect information about an individual directly from that individual whenever practicable.

    (c) Inform each individual from whom information is collected of:

    (1) The legal authority to collect the information and whether providing it is mandatory or voluntary;

    (2) The principal purpose for which USTR intends to use the information;

    (3) The routine uses, i.e., disclosures of records and information contained in a system of records without the consent of the subject of the record, USTR may make; and

    (4) The effects on the individual, if any, of not providing the information.

    (d) Ensure that the employee's office does not maintain a system of records without public notice and notify appropriate officials of the existence or development of any system of records that is not the subject of a current or planned public notice.

    (e) Maintain all records that are used in making any determination about an individual with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual in the determination.

    (f) Except for disclosures made to an agency or under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely and complete.

    (g) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by USTR to persons, organizations or agencies.

    (h) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone.

    (i) Notify the appropriate official of any record that contains information that the Privacy Act does not permit USTR to maintain.

    Start Part

    PART 2005—[REMOVED]

    End Part Start Amendment Part

    3. Remove part 2005.

    End Amendment Part Start Signature

    Janice Kaye,

    Chief Counsel for Administrative Law, Office of the U.S. Trade Representative.

    End Signature End Supplemental Information

    [FR Doc. 2016-30495 Filed 12-21-16; 8:45 am]

    BILLING CODE 3290-F7-P

Document Information

Published:
12/22/2016
Department:
Trade Representative, Office of United States
Entry Type:
Proposed Rule
Action:
Proposed rule.
Document Number:
2016-30495
Dates:
We must receive your written comments on or before January 23, 2017.
Pages:
93857-93861 (5 pages)
Docket Numbers:
Docket Number USTR-2016-0027
RINs:
0350-AA09: Privacy Act Policies and Procedures
RIN Links:
https://www.federalregister.gov/regulations/0350-AA09/privacy-act-policies-and-procedures
Topics:
Administrative practice and procedure, Courts, Freedom of information, Government employees, Privacy
PDF File:
2016-30495.pdf
CFR: (10)
15 CFR 2004.20
15 CFR 2004.21
15 CFR 2004.22
15 CFR 2004.23
15 CFR 2004.24
More ...