06-8399. Regulations Implementing the Privacy Act of 1974  

  • Start Preamble

    AGENCY:

    Occupational Safety and Health Review Commission.

    ACTION:

    Final rule.

    SUMMARY:

    The Occupational Safety and Health Review Commission (OSHRC) is amending its regulations implementing the Privacy Act of 1974, 5 U.S.C. 552a. The Privacy Act has been amended multiple times since OSHRC first promulgated its regulations in 1979. The amendments to OSHRC's regulations at 29 CFR Part 2400 will assist the agency in complying with the requirements of the Privacy Act.

    DATES:

    Effective September 29, 2006.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Ron Bailey, Attorney-Advisor, Office of the General Counsel, via telephone at (202) 606-5410, or via e-mail at rbailey@oshrc.gov.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    OSHRC published a notice of proposed rulemaking on July 28, 2006, 71 FR 42785, which would revise 29 CFR Part 2400. Interested persons were afforded an opportunity to participate in the rulemaking process through submission of written comments on the proposed rule. OSHRC received no public comments. We have reviewed the proposed rule and now adopt it as the agency's final rule.

    OSHRC's regulations at Part 2400 implementing the Privacy Act of 1974 were first promulgated on January 19, 1979, 44 FR 3968. These regulations had not been revised, except for changes made to the office address referenced in §§ 2400.6 and 2400.7, 58 FR 26065, April 30, 1993. Since 1979, however, the Privacy Act has been amended on numerous occasions. These statutory changes, along with intervening case law, compel OSHRC to amend its Start Printed Page 57417regulations at Part 2400. Because OSHRC is making extensive revisions to these regulations, OSHRC has reproduced them in their entirety for the convenience of the reader at the end of this document. OSHRC's specific amendments to Part 2400 are discussed below in regulatory sequence.

    OSHRC is first amending its authority citation to exclude all references to popular names and statutes at large. The Office of the Federal Register has expressed a preference for citing only to the United States Code when referencing a Federal statute.

    In § 2400.1 (Purpose and scope), OSHRC is making several changes to clarify what Part 2400 covers. In accordance with the amendments to the Privacy Act contained in section 2(b), Pub. L. 97-365 (5 U.S.C. 552a(m)(2)), OSHRC is amending § 2400.1 to reflect that Part 2400 no longer covers systems of records “that are disclosed to consumer reporting agencies under [section] 3711(e) of title 31, United States Code.” Additionally, OSHRC is amending § 2400.1 to reflect that Part 2400 applies only to “records that are maintained by [OSHRC].” The prior version of § 2400.1 states that OSHRC's Privacy Act regulations “are applicable only to such items of information as relate to the agency or are within its custody.” However, the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term “items of information” is not. Therefore, amending § 2400.1 to substitute “record” for “items of information” more appropriately limits the purpose and scope of the regulations in accordance with the statute. OSHRC is also deleting the last sentence of § 2400.1, which states “[t]his part is intended to protect individual privacy, and affects all personal information collection and usage activity of the agency,” because it is overly broad. Based on these amendments, revised § 2400.1 reads as follows:

    The purpose of the provisions of this part is to provide procedures to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is applicable only to records that are maintained by the Occupational Safety and Health Review Commission (OSHRC or the Commission), which includes all systems of records operated on behalf of OSHRC, pursuant to a contract, to accomplish an agency function, except for records that are disclosed to consumer reporting agencies under section 3711(e) of title 31, United States Code. This part is not applicable to the rights of parties appearing in adversary proceedings before the Commission to obtain discovery from an adverse party. Such matters are governed by the Commission's Rules of Procedure, which are published at 29 CFR 2200.1 et seq.

    Revising § 2400.1 in this manner incorporates a statutory change to the Privacy Act, as well as clarifies the proper scope of the agency's regulations under Part 2400.

    In § 2400.2 (Description of agency), OSHRC is adding a sentence to the end of the section that provides additional details about the designation of one of the Commissioners as the Chairman and his responsibilities for the administrative operations of the Commission, consistent with section 12(e) of the Occupational Safety and Health Act of 1970, 29 U.S.C. 661(e). OSHRC is also making a simple change in nomenclature by deleting “Occupational Safety and Health Review Commission” and replacing it with “The Commission.” The agency's full name is first noted in revised § 2400.1 based on the amendments to that section discussed above.

    OSHRC is amending several items in § 2400.3 (Delegation of authority). In paragraph (a) of § 2400.3, OSHRC is revising the paragraph's language to provide that “[t]he Chairman shall designate an OSHRC employee as the Privacy Officer, and shall delegate to the Privacy Officer the authority to ensure agency-wide compliance with this part.” In the prior version of paragraph (a), this authority was delegated to the Executive Director. In recent years, the Office of Management and Budget (OMB) has issued various guidance memoranda regarding the responsibilities of executive departments and agencies on privacy matters, including Safeguarding Personally Identifiable Information, OMB-06-15 (May 22, 2006); Designation of Senior Agency Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005); and OMB Guidance for Implementing the Privacy Provision of the E-Government Act of 2002, OMB Memorandum M-03-22 (Sept. 30, 2003). By creating the position of Privacy Officer and providing this individual with the authority to handle Privacy Act matters, OSHRC will be better able to respond to future changes in requirements and subsequent guidance in the privacy arena.

    In paragraph (b) of § 2400.3, OSHRC is replacing the term “[c]ustodians” with the more specific term “[c]ustodians of the systems of records” in order to better define those persons covered by paragraph (b). In accordance with the amendments to § 2400.3(a), OSHRC is also replacing the term “Executive Director” with “Privacy Officer.” Additionally, OSHRC is dividing existing paragraph (b) into paragraphs (b)(1) and (b)(2) and adding a new paragraph (b)(3) in order to highlight the various duties of the custodians of the systems of records. Specifically, OSHRC is reformatting paragraph (b) by turning its first and second sentences into new paragraphs (b)(1) and (b)(2), respectively. OSHRC is making several grammatical changes in new paragraph (b)(1) by transforming the words “adherence,” “collection,” “use,” and “disclosure” into present participles. OSHRC is replacing (1) the word “information” and the phrase “personal information” with the word “records,” and (2) the phrase “personal records systems” with the phrase “systems of records.” Because the terms “record” and “system of records” are defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), use of these terms better delineates the scope of revised paragraph (b). OSHRC is adding a new paragraph (b)(3), which makes the custodians of the systems of records responsible for maintaining an accurate accounting of each disclosure in conformance with old § 2400.4(d) (new § 2400.4(c)) and its statutory counterpart in the Privacy Act at 5 U.S.C. 552a(c). Custodians of the systems of records are best suited to maintain an accounting of each disclosure because they have the most interaction with the systems of records and are usually involved in processing the requests for records.

    With regard to § 2400.4 (Collection and disclosure of personal information), OSHRC is making several structural and substantive changes, as well as some minor changes in wording. In paragraph (a)(1)(i) of § 2400.4, OSHRC is adding the phrase “in its records” after “[s]olicit, collect and maintain” to clarify that OSHRC's responsibilities under this provision only extend to information that is maintained in a record. OSHRC is also adding a new paragraph (a)(1)(ii) that lists the responsibilities set forth in 5 U.S.C. 552a(e)(5), which requires each agency to—

    Maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.

    With the addition of new paragraph (a)(1)(ii), § 2400.4(a)(1) better reflects OSHRC's responsibilities under the Privacy Act. OSHRC is renumbering old paragraphs (a)(1)(ii) and (iii) as new paragraphs (a)(1)(iii) and (iv). In order to better track the statutory language of 5 U.S.C. 552a(e)(2), OSHRC is adding the phrase “under Federal programs” after “benefits or privileges” in the newly renumbered paragraph (a)(1)(iii). Finally, OSHRC is making a minor Start Printed Page 57418change by deleting “the” before “OSHRC” in new paragraph (a)(1)(iv).

    OSHRC is not making any changes to paragraph (a)(2). In paragraph (a)(3) of § 2400.4, however, OSHRC is replacing the word “information” with “record” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term “information” is not, and thus amending paragraph (a)(3) in this manner better defines this paragraph's scope. OSHRC is also adding the phrase “or maintenance of the record” after “collection” to clarify that all of the requirements and exceptions in the paragraph apply to both the collection and maintenance of records. Finally, OSHRC is amending paragraph (a)(3) to include language that excludes records “pertinent to and within the scope of an authorized law enforcement activity,” in accordance with 5 U.S.C. 552a(e)(7). OSHRC is making no changes to § 2400.4(a)(4).

    OSHRC is making structural and substantive changes to paragraphs (b)(1) and (b)(2) of § 2400.4. Specifically, OSHRC is amending paragraph (b)(1) to incorporate the opening statutory language contained in 5 U.S.C. 552a(b). Paragraph (b)(1) now reads:

    OSHRC shall not disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.

    The prior version of the regulation at § 2400.4(b)(1)—which, in part, prevented OSHRC from disseminating records “unless reasonable efforts have been made to assure that the information is accurate, complete, timely and relevant”—could have been construed as applying to Freedom of Information Act (FOIA) requests. Under 5 U.S.C. 552a(e)(6), however, agency responses to FOIA requests are specifically exempted from the Privacy Act requirement that agencies must make reasonable efforts to ensure, when disclosing records about an individual to any person, that such records are accurate, complete, timely, and relevant. This exemption makes sense because the purpose of a FOIA request may be, for example, to gather information that reflects an agency's propensity for maintaining inaccurate records. Consequently, it is not appropriate to require that such records requested under the FOIA be examined in this manner under the Privacy Act. Thus, in order to eliminate such an interpretation, OSHRC is amending paragraph (b)(1) in the aforementioned manner, amending paragraph (b)(2) to list exceptions to revised paragraph (b)(1), and adding new paragraph (b)(5) which defines when records should be “accurate, complete, timely and relevant.”

    As to paragraph (b)(2) of § 2400.4, OSHRC is making the following changes. First, in order to reflect that revised paragraph (b)(2) lists exceptions to the rule set forth in revised paragraph (b)(1), OSHRC is revising the opening clause to read, “Exceptions: A record may be disseminated without satisfying the requirements of paragraph (b)(1) of this section if disclosure is made: * * *.” Second, OSHRC is replacing the word “information” with “record” in paragraphs (b)(2)(ii) and (b)(2)(iv), because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term “information” is not. Third, in paragraph (b)(2)(iv), OSHRC is adding the words “OSHRC with” between “provided” and “adequate advance written assurance” in order to clarify that notice must be provided to OSHRC. In that paragraph, OSHRC is also replacing the phrase “individually identifiable” with “personally identifiable” because this is a term of art used by Privacy Act practitioners. Fourth, OSHRC is making a change in nomenclature by spelling out “United States” in paragraph (b)(2)(v) and deleting “the” before “OSHRC” in paragraph (b)(2)(viii). Fifth, in accordance with the amendments to the Privacy Act contained in section 107(g)(1), Pub. L. 98-497 (5 U.S.C. 552a(b)(6)), OSHRC is modifying, in paragraph (b)(2)(vi), “National Archives of the United States” to read “National Archives and Records Administration,” and “Administrator of General Services” to read “Archivist of the United States or the designee of the Archivist.” Sixth, OSHRC is modifying, in paragraph (b)(2)(viii), “Federal agency” to read “another agency.” This revision better tracks the statutory language at 5 U.S.C. 552a(b)(7) and makes clear that the records can be disclosed to federal, state, or local agencies. In this regard, OMB states in its guidelines, 40 FR 28948, 28955, July 9, 1975, that in addition to providing for disclosures to federal law enforcement agencies, section 552a(b)(7) allows an agency, “upon receipt of a written request, [to] disclose a record to another agency or unit of State or local government for a civil or criminal law enforcement activity.” Seventh, in order to better track the language of 5 U.S.C. 552a(b)(9), OSHRC is modifying paragraph (b)(2)(ix) of § 2400.4 to read, “To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, or any joint committee of Congress or subcommittee of any such joint committee.” Eighth, in accordance with the GAO Human Capital Reform Act of 2004, Pub. L. 108-271, 118 Stat. 811, OSHRC is modifying, in paragraph (b)(2)(x), “General Accounting Office” to read “Government Accountability Office.” Finally, OSHRC is adding a new paragraph (b)(2)(xii) which, in accordance with the amendments to the Privacy Act contained in section 2(a), Pub. L. 97-365 (5 U.S.C. 552a(b)(12)), permits disclosure “[t]o a consumer reporting agency in accordance with section 3711(e) of title 31, United States Code.”

    OSHRC is making some minor changes, such as capitalizing “Service” in paragraph (b)(3) and revising “§ 2400.4(b)(3) above” to read “paragraph (b)(3) of this section” in paragraph (b)(4). In paragraph (b)(3), OSHRC is also changing “The Personnel Office” to “OSHRC's Office of Administration” based on the agency's recent reorganization.

    OSHRC is adding new paragraphs (b)(5) and (b)(6) to § 2400.4, which essentially incorporate the statutory language of 5 U.S.C. 552a(e)(6) and (d)(5), respectively. Paragraph (b)(5) is changed slightly from that stated in the NPRM, which initially stated: “OSHRC shall not disseminate any record about an individual to any person other than an agency unless the record is disseminated pursuant to paragraph (b)(2)(i) of this section, or reasonable efforts have been made to ensure that the record is accurate, complete, timely and relevant.” Upon further review of 5 U.S.C. 552a(e)(6), OSHRC makes a minor edit to paragraph (b)(5) so it more clearly tracks the statute as follows:

    Disclosures to third parties. Prior to disseminating any record about an individual to any person other than an agency, unless the record is disseminated pursuant to paragraph (b)(2)(i) of this section, OSHRC shall make reasonable efforts to ensure that the record is accurate, complete, timely and relevant.

    Paragraph (b)(6) reads:

    Anticipated legal action. Nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

    OSHRC is adding these provisions to § 2400.4 in order to track the statute and make the regulations comprehensive.

    OSHRC is re-designating old § 2400.4(c) as new § 2400.5(c). The old § 2400.4(c), which pertains to notifying certain persons and agencies about corrections made to a record, is a better fit for new § 2400.5(c), which pertains to “[n]otification of amendment.” Start Printed Page 57419Modifications to the language in the re-designated § 2400.5(c) are discussed below in that section.

    In response to the change above, OSHRC is re-designating old paragraph (d) of § 2400.4, which sets forth the procedures for maintaining an accounting of disclosures, as new paragraph (c) of § 2400.4. OSHRC is streamlining the language of new paragraph (c)(1). Rather than spelling out that the accounting requirements do not pertain to instances “in which disclosure is made to OSHRC employees in the performance of their duties or is required by the Freedom of Information Act (5 U.S.C. 552), in conformance with section 552a(c) of the Privacy Act,” OSHRC is amending the paragraph to read that “any disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this section” is excepted. Also, OSHRC is inserting the phrase “OSHRC shall maintain” at the beginning of paragraph (c)(1) to emphasize that it is, in fact, OSHRC's responsibility to maintain an accurate accounting of certain disclosures. OSHRC is adding a new paragraph (c)(2) that lists the information required, in accordance with 5 U.S.C. 552a(c)(1), for a proper accounting of each disclosure. New paragraph (c)(2) reads as follows:

    When an accounting is required under paragraph (c)(1) of this section, the following information shall be recorded: the date, nature, and purpose of each disclosure of a record to any person or to another agency, and the name and address of the person or agency to whom the disclosure is made.

    OSHRC is renumbering old paragraph (d)(2) as new paragraph (c)(3), and modifying the language “for at least five (5) years or the life of the record” to read “for at least five (5) years after disclosure or for the life of the record” in order to clearly define the length of time that an accounting must be maintained. Finally, OSHRC is renumbering old paragraph (d)(3) as new paragraph (c)(4), adding a cross-reference to “§ 2400.6 for suggested form of request,” and deleting the word “provision” because it adds nothing to the sentence.

    With regard to § 2400.5 (Notification), OSHRC is making various changes in substance and nomenclature. In the opening sentence of paragraph (a) of § 2400.5, OSHRC is modifying the phrase “personal records systems” to read “systems of records” because only the latter phrase is defined in the Privacy Act at 5 U.S.C. 552a(a)(5).

    In paragraph (a)(2) of § 2400.5, OSHRC is deleting the word “personal” because the definitions of “record” and “system of records” in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), respectively, already reflect that personally identifiable information is at issue. In accordance with the amendments to the Privacy Act contained in section 201(a), Pub. L. 97-375 (5 U.S.C. 552a(e)(4)), OSHRC is also deleting the word “annually” from paragraph (a)(2) and adding the phrase “[u]pon establishing or revising a system of records.” Additionally, OSHRC is modifying paragraph (a)(2) to reflect the data elements for Privacy Act notices that are required by the Office of the Federal Register. These fields include: (i) System name and location; (ii) security classification; (iii) categories of individuals covered by the system; (iv) categories of records in the system; (v) authority for maintenance of the system; (vi) purpose(s) of the system; (vii) routine uses of records maintained in the system, including categories of users and the purpose(s) of such uses; (viii) disclosures to consumer reporting agencies; (ix) policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system; (x) system manager(s) and address; (xi) procedures by which an individual can be informed whether a system contains a record pertaining to himself, gain access to such record, and contest the content, accuracy, completeness, timeliness, relevance, and necessity for retention of the record; (xii) record source categories; and (xiii) exemptions claimed for the system. Finally, in the opening sentence of paragraph (a)(2) of § 2400.5, OSHRC is making minor grammatical changes, such as inserting “the” before the words “existence” and “systems.”

    In accordance with the amendments to the Privacy Act contained in section 3(b), Pub. L. 100-503 (5 U.S.C. 552a(r)), OSHRC is adding a new paragraph (a)(3) to § 2400.5 that sets forth the reporting requirements for system-of-records notices. New paragraph (a)(3) reads as follows:

    OSHRC shall submit a report, in accordance with guidelines provided by the Office of Management and Budget (OMB), in order to give advance notice to the Committee on Government Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and OMB of any proposal to establish a new system of records or to significantly change an existing system of records.

    It is necessary to add new paragraph (a)(3) to § 2400.5 in order to provide a comprehensive explanation of the notification requirements.

    In paragraph (b) of § 2400.5, OSHRC is replacing the phrase “personal information” with “record pertaining to the individual” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term “information” is not.

    OSHRC is also making substantial changes to paragraph (c) of § 2400.5. The prior version of paragraph (c) stated as follows: “Notification of amendment. (See § 2400.7 relating to amendment of records upon request.)” OSHRC is deleting this language, inserting the text of old § 2400.4(c) (as discussed earlier), and designating it as new paragraph (c)(1) in § 2400.5. OSHRC is modifying the text to read as follows:

    OSHRC shall inform any person or other agency about any correction or notation of dispute made by OSHRC to any record that has been disclosed to the person or agency, if the correction or notation was made pursuant to § 2400.8, and an accounting of the disclosure was made pursuant to § 2400.4(c).

    The prior version of this paragraph states that its requirements apply where a “personal record has been or is to be disclosed.” However, the phrase “is to be disclosed” is not included in 5 U.S.C. 552a(c)(4), the regulation's statutory counterpart. Moreover, from a practical standpoint, it would be difficult to notify a person or an agency of a correction if the record has not yet been disclosed to that person or agency. The remaining changes to new paragraph (c)(1), shown above, are based on the statutory text at section 552a(c)(4).

    OSHRC is adding a new paragraph (c)(2) to § 2400.5 setting forth the requirements of 5 U.S.C. 552a(d)(4), which explains how agencies are to treat disputed portions of the record. New paragraph (c)(2) reads as follows:

    In any disclosure to a person or other agency containing information about which the individual has filed a statement of disagreement and occurring after the statement was filed, OSHRC shall clearly note any portion of the record which is disputed and provide copies of the statement and, if OSHRC deems appropriate, copies of a concise statement of OSHRC's reasons for not making the requested amendments.

    Adding this statutory requirement to § 2400.5 will help ensure that the rights of those covered by the Privacy Act are preserved.

    In accordance with 5 U.S.C. 552a(e)(11), OSHRC is amending paragraph (d) of § 2400.5 to allow interested persons to “submit written data, views, or arguments to OSHRC” after a system-of-records notice has been published in the Federal Register. OSHRC is also adding the word “routine” before “use,” and replacing “personal information” with “a system of records” because, under section 552a(e)(11), notification is required only for new and revised routine uses of Start Printed Page 57420systems of records. OSHRC is making no changes to paragraph (e) of § 2400.5.

    With regard to § 2400.6 (Procedures for requesting records), OSHRC is making various substantive and structural changes, as well some changes in nomenclature. Throughout § 2400.6, OSHRC is replacing “personal information” with “record” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and the term “information” is not. OSHRC is also making a change in nomenclature by replacing “Executive Director,” “responsible official,” and “disclosure officer” with “Privacy Officer” in accordance with the amendments to § 2400.3(a).

    In the opening sentence of § 2400.6, OSHRC is replacing the word “have” with “gain.” OSHRC is also deleting the phrase “within a comprehensive format” as unnecessary.

    In paragraph (a)(1) of § 2400.6, OSHRC is deleting the last sentence which read as follows:

    Access to OSHRC records maintained in National Archives and Records Service Centers may be obtained in accordance with the regulations issued by the General Services Administration.

    According to section 107(g)(2), Pub. L. 98-497 (5 U.S.C. 552a(l)(1)), the records that OSHRC sends to the Federal processing center are still considered to be under OSHRC's control. Thus, disclosure of such records must be in accordance with OSHRC's regulations implementing the Privacy Act. OSHRC is also amending the agency's mailing address to include the last four digits of the ZIP code and to spell out “Ninth Floor.”

    OSHRC is deleting the last sentence in paragraph (a)(2) of § 2400.6, which read, “Upon request, OSHRC also shall disclose to the individual an accounting of any disclosures made from the individual's records.” This sentence was redundant because new § 2400.4(c)(4) (old § 2400.4(d)(3)) already covers an individual's request for an accounting.

    In paragraph (a)(3) of § 2400.6, OSHRC is revising the Privacy Officer's period for response to read “10 working days” rather than “10 days,” because 5 U.S.C. 552a(d)(2)(A) states that Saturdays, Sundays, and legal holidays are excluded from the 10-day requirement.

    Paragraphs (b)(1) and (b)(2) of § 2400.6 remain unchanged. However, OSHRC is amending paragraph (b)(3) of § 2400.6 to reflect that a declaration made in accordance with 28 U.S.C. 1746 may serve as an alternative to a notarized statement, in accordance with section 1(a), Pub. L. 94-550 (28 U.S.C. 1746), and Summers v. United States Dep't of Justice, 999 F.2d 570, 573 (D.C. Cir. 1993).

    While paragraph (c) on verification of guardianship remains unchanged, OSHRC is modifying paragraph (d) of § 2400.6 to indicate that the authorization form discussed in that paragraph must be provided by OSHRC. Because the form is intended, in part, to protect OSHRC from liability that may arise when records are disseminated to a third party accompanying the individual whose records are being accessed, OSHRC must make certain that the form is legally adequate.

    OSHRC is deleting old paragraph (e) of § 2400.6, which sets forth special rules for requesting medical records, and adding a new § 2400.7 that provides a more legally sound procedure for requesting such records. OSHRC is also re-designating old paragraph (f) as new paragraph (e).

    OSHRC is re-designating old paragraph (g) of § 2400.6 as new paragraph (f) and amending its language to require that the Privacy Officer, upon denying an individual's request for personal records, notify the individual of his or her right to an administrative appeal. The paragraph previously required that the requester be advised only of his right to judicial review in a district court of the United States. However, the administrative appeal is an equally important aspect of the review process and, therefore, is also included in the Privacy Officer's statement. OSHRC is deleting the phrase “or other appropriate official,” thereby requiring that the Privacy Officer sign any reply denying an individual's written request to review a record. Placing clear limits on who has authority to deny such a request is necessary to maintain the integrity of the administrative appeal process.

    As discussed above, OSHRC is creating a new § 2400.7 by carving out old paragraph (e) of § 2400.6 and revising it to comport with new case law regarding special procedures for medical records. Under 5 U.S.C. 552a(f)(3), OSHRC must—

    establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the disclosure to an individual of medical records, including psychological records, pertaining to him[.]

    The previous version of paragraph (e) of § 2400.6 read as follows:

    Medical records shall be disclosed to the requester to whom they pertain unless the Executive Director, in consultation with a medical doctor named by the requesting individual, determines that access to such record could have an adverse effect upon such individual. In such a case, the Executive Director shall transmit such information to the named medical doctor.

    In light of Benavides v. United States Bureau of Prisons, 995 F.2d 269 (D.C. Cir. 1993), this may not be a valid procedure. In Benavides, the United States Court of Appeals for the District of Columbia Circuit found that, while an agency is authorized to devise a “special” methodology for disclosing medical records under section 552a(f)(3), the devised methodology must lead to disclosure of the medical records to the requesting individual. Id. at 272. Thus, the court held that a regulation which expressly contemplates that the requesting individual may never see certain medical records is not a permissible special procedure. Id. The court, however, rejected the argument that the Privacy Act requires direct disclosure of medical records to the requesting individual. Id. at 273. Recognizing the “potential harm that could result from unfettered access to medical and psychological records,” the court provided that an agency should have the freedom to craft special procedures to limit such harm, as long as the agency guarantees “the ultimate disclosure of the medical records to the requesting individual.” Id. New § 2400.7 addresses the concerns expressed in Benavides by setting forth a procedure that guarantees “the ultimate disclosure of medical records to the requesting individual,” but still requires the intervention of a physician in order “to limit the potential harm.” Id.

    OSHRC is re-designating old § 2400.7 (Procedures for requesting amendment) as new § 2400.8. Throughout new § 2400.8, OSHRC is replacing “Executive Director” with “Privacy Officer” in accordance with the amendments to § 2400.3(a) discussed above. OSHRC is revising paragraph (b)(4) to reflect that the Privacy Officer will “[n]otify the requester of a determination not to amend the record, of the reasons for the refusal, and of the requester's right to appeal in accordance with [new] § 2400.9.” Inexplicably, the prior version of paragraph (b)(4) did not require OSHRC to explain its decision to deny a person's request for amendment. OSHRC is severing paragraphs (c) and (d) of old § 2400.7 and renumbering them to create a new § 2400.9 pertaining to appeal procedures. Creating new § 2400.9 by separating the appeal procedures from old § 2400.7, which pertains to “procedures for requesting amendment,” is necessary because Start Printed Page 57421individuals should be permitted to appeal the agency's denial of inspection and copy requests, not just the denial of amendment requests.

    In new § 2400.9 (old § 2400.7(c) and (d)), OSHRC is changing “Executive Director” to “Privacy Officer.” OSHRC is also making the following formatting changes. New paragraphs (a)(1) and (a)(2) of § 2400.9 coincide with old § 2400.7(c)(1) and (c)(2), new paragraph (b) coincides with old § 2400.7(c)(3), new paragraph (c) coincides with old § 2400.7(c)(4), and new paragraph (d) coincides with old § 2400.7(d). In new paragraph (a)(1) (old § 2400.7(c)(1)), OSHRC is amending the last four digits of the ZIP code in its mailing address, spelling out “Ninth Floor,” and adding “Attn: Privacy Appeal” as the second line in the address. In new paragraph (b) of § 2400.9 (old § 2400.7(c)(3)), OSHRC is: (1) Adding the word “working” after the first mention of “30” because 5 U.S.C. 552a(d)(3) states that Saturdays, Sundays, and legal holidays are excluded from the 30-day requirement; (2) replacing the word “determination” with “decision” in order to make new paragraph (b) consistent with paragraph (c) (old § 2400.7(c)(4)); and (3) for the sake of readability, modifying “not complete, accurate, relevant, or timely,” to read “incomplete, inaccurate, irrelevant, or untimely.” In new paragraph (c) (old § 2400.7(c)(4)), OSHRC is titling the paragraph “Decision requirements” and adding the phrase “of the United States” after “district court.” Finally, in new paragraph (d) (old § 2400.7(d)), OSHRC is adding “then” after “the requester,” and deleting the word “personal” because the definition of “record” in the Privacy Act at 5 U.S.C. 552a(a)(4) already reflects that personally identifiable information is at issue.

    OSHRC is deleting old § 2400.7(e), which states that the Executive Director “is available to provide an individual with assistance in exercising rights pursuant to this part.” This language creates no affirmative duty and is therefore unnecessary. Moreover, other OSHRC regulations already adequately ensure that an individual requesting records or amendment to records will be provided with the information necessary to exercise his or her rights.

    OSHRC is re-designating old § 2400.8 (Schedule of fees) as new § 2400.10. OSHRC is amending the schedule of fees to reflect the change in costs since the original promulgation of the current regulations in 1979. Rather than specifying a specific copying fee, OSHRC is incorporating by reference Appendix A to 29 CFR Part 2201—Schedule of Fees in the agency's final FOIA rules at 71 FR 56347, September 27, 2006. OSHRC is making this revision for purposes of administrative ease and to ensure that the fees charged for FOIA and Privacy Act requests are consistent. Lastly, in accordance with 5 U.S.C. 552a(f)(5), OSHRC is amending paragraph (c) to reflect that no fee will be charged for reviewing records.

    OSHRC is deleting old § 2400.9 (Exemptions), which states that “[s]ubsections 552a(j) and (k) of title 5 * * * empower the Chairman to exempt systems of records meeting certain criteria from various other subsections of section 552a.” Under 5 U.S.C. 552a(j) and (k), the head of an agency may promulgate rules, in some circumstances, to exempt various systems of records from certain Privacy Act requirements. A system of records cannot be exempted, however, unless a specific rule regarding it has been published. If ever there is a system of records that the head of the agency wants to exempt, he or she can simply publish a regulation at that time to exempt the system. Thus, deleting § 2400.9 in no way deprives the Chairman of this authority.

    Executive Order 12866

    The Commission is an independent regulatory agency, and, as such, is not subject to the requirements of E.O. 12866.

    Paperwork Reduction Act

    The Commission has determined that the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., does not apply because these rules do not contain any information collection requirements that require the approval of OMB.

    Executive Order 13132

    The Commission is an independent regulatory agency, and, as such, is not subject to the requirements of E.O. 13132.

    Regulatory Flexibility Act

    The Commission has determined under the Regulatory Flexibility Act, 5 U.S.C. 605(b), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 804(2), and has certified to the Chief Counsel for Advocacy of the Small Business Administration, that these rules will not have a significant economic impact on a substantial number of small entities. Therefore, a Regulatory Flexibility Statement and Analysis has not been prepared.

    The Commission maintains relatively few systems of records, as defined by 5 U.S.C. 552a(a)(5). Moreover, the bulk of the Commission's record—i.e., its case files—are already open to public review under section 12(g) of the OSH Act, 29 U.S.C. § 661(g). Despite the requirements of the Privacy Act, the public may access much of the information that the Commission maintains. Finally, the Privacy Act permits agencies to charge requesters for duplication costs, but not for costs associated with searching for and reviewing requested records. The Commission's final rule is fully consistent with these requirements.

    Unfunded Mandates Reform Act of 1995

    The Commission is an independent regulatory agency, and, as such, is not subject to the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.

    Congressional Review Act

    Consistent with the Congressional Review Act (Section 804 of the Small Business Regulatory Enforcement Fairness Act), 5 U.S.C. 804 et seq., the Commission will submit to Congress and to the Comptroller General of the United States, a report regarding the issues of this Final Rule prior to the effective date set forth at the outset of this document. This rule is not a major rule under the Congressional Review Act. The rule will not result in an annual effect on the economy of more than $100 million per year; a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of U.S.-based enterprises to compete with foreign-based companies in domestic and export markets.

    Start List of Subjects

    List of Subjects in 29 CFR Part 2400

    • Administrative practice and procedure
    • Archives and records
    • Government employees
    • Privacy
    End List of Subjects Start Signature

    Signed at Washington, DC, on September 27, 2006.

    W. Scott Railton,

    Chairman.

    End Signature Start Amendment Part

    For the reasons set forth in the preamble, OSHRC amends Chapter XX of Title 29, Code of Federal Regulations, by revising part 2400 to read as follows:

    End Amendment Part Start Part

    PART 2400—REGULATIONS IMPLEMENTING THE PRIVACY ACT

    2400.1
    Purpose and scope.
    2400.2
    Description of agency.
    2400.3
    Delegation of authority.
    2400.4
    Collection and disclosure of personal information. Start Printed Page 57422
    2400.5
    Notification.
    2400.6
    Procedures for requesting records.
    2400.7
    Special procedures for requesting medical records.
    2400.8
    Procedures for requesting amendment.
    2400.9
    Procedures for appealing.
    2400.10
    Schedule of fees.
    Start Authority

    Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.

    End Authority
    Purpose and scope.

    The purpose of the provisions of this part is to provide procedures to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is applicable only to records that are maintained by the Occupational Safety and Health Review Commission (OSHRC or the Commission), which includes all systems of records operated on behalf of OSHRC, pursuant to a contract, to accomplish an agency function, except for records that are disclosed to consumer reporting agencies under section 3711(e) of title 31, United States Code. This part is not applicable to the rights of parties appearing in adversary proceedings before the Commission to obtain discovery from an adverse party. Such matters are governed by the Commission's Rules of Procedure, which are published at 29 CFR 2200.1 et seq.

    Description of agency.

    The Commission adjudicates contested enforcement actions under the Occupational Safety and Health Act of 1970 (29 U.S.C. 651-677). Decisions of the Commission on such actions are issued only after the parties to the case are afforded an opportunity for a hearing in accordance with section 554 of title 5, United States Code. All such hearings are conducted by an OSHRC Administrative Law Judge at a place convenient to the parties and are open to the public. Each Commission member has the authority to direct that a decision of a Judge be reviewed by the full Commission before becoming a final order. The President designates one of the Commissioners as Chairman, who is responsible on behalf of the Commission for the administrative operations of the Commission.

    Delegation of authority.

    (a) The Chairman shall designate an OSHRC employee as the Privacy Officer, and shall delegate to the Privacy Officer the authority to ensure agency-wide compliance with this part.

    (b) Custodians of the systems of records are responsible for the following:

    (1) Adhering to this part within their respective units and, in particular, collecting, using and disclosing records, and affording individuals the right to inspect, obtain copies of and correct records concerning them;

    (2) Reporting the existence of systems of records, changes to the contents of those systems and changes of routine use to the Privacy Officer, and also establishing the relevancy of records within those systems; and

    (3) Maintaining an accurate accounting of each disclosure in conformance with § 2400.4(c) of this part.

    Collection and disclosure of personal information.

    (a) The following rules govern the collection of personal information throughout OSHRC operations:

    (1) OSHRC shall:

    (i) Solicit, collect and maintain in its records only such personal information as is relevant and necessary to accomplish a purpose required by statute or executive order;

    (ii) Maintain all records which are used by OSHRC in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

    (iii) Collect information, to the greatest extent practicable, directly from the subject individual when such information may result in adverse determinations about an individual's rights, benefits or privileges under Federal programs; and

    (iv) Inform any individual requested to disclose personal information whether that disclosure is mandatory or voluntary, by what authority it is solicited, the principal purposes for which it is intended to be used, the routine uses which may be made of it, and any penalties or consequences known to OSHRC which shall result to the individual from such non-disclosure.

    (2) OSHRC shall not discriminate against any individual who fails to provide personal information unless that information is required or necessary for the conduct of the system or program in which the individual desires to participate. See § 2400.4(a)(1)(i).

    (3) No record shall be collected or maintained which describes how any individual exercises rights guaranteed by the First Amendment unless the Commission specifically determines that such information is relevant and necessary to carry out a statutory purpose of OSHRC, and the collection or maintenance of the record is expressly authorized by statute or by the individual about whom the record is maintained, or unless the record is pertinent to and within the scope of an authorized law enforcement activity.

    (4) OSHRC shall not require disclosure of any individual's Social Security account number or deny a right, privilege or benefit because of the individual's refusal to disclose the number unless disclosure is required by Federal law.

    (b) Disclosures—(1) Limitations. OSHRC shall not disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.

    (2) Exceptions. A record may be disseminated without satisfying the requirements of paragraph (b)(1) of this section if disclosure is made:

    (i) To a person pursuant to a requirement of the Freedom of Information Act (5 U.S.C. 552);

    (ii) To those officers and employees of OSHRC who have a need for the record in the performance of their duties;

    (iii) For a routine use as contained in the system notices published in the Federal Register;

    (iv) To a recipient who has provided OSHRC with adequate advance written assurance that the record shall be used solely as a statistical reporting or research record, and the record is to be transferred in a form that is not personally identifiable;

    (v) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13, United States Code;

    (vi) To the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;

    (vii) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual, if upon such disclosure notification is transmitted to the last known address of such individual;

    (viii) To another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, if such activity is authorized by law and if the head of the agency or instrumentality has made a written request to OSHRC specifying the particular portion of the record desired and the law enforcement activity for which the record is sought; Start Printed Page 57423

    (ix) To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, or any joint committee of Congress or subcommittee of any such joint committee;

    (x) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the Government Accountability Office;

    (xi) Pursuant to the order of a court of competent jurisdiction; or

    (xii) To a consumer reporting agency in accordance with section 3711(e) of title 31, United States Code.

    (3) Employee credit references. OSHRC's Office of Administration shall verify the following information provided by an employee to a credit bureau or commercial firm from which an employee is seeking credit: Length of service, job title, grade, salary, tenure of employment, and Civil Service status.

    (4) Employee job references. Prospective employers of an OSHRC employee or a former OSHRC employee may be furnished with the information in paragraph (b)(3) of this section in addition to the date and reason for separation, if applicable, upon the request of the employee or former employee.

    (5) Disclosures to third parties. Prior to disseminating any record about an individual to any person other than an agency, unless the record is disseminated pursuant to paragraph (b)(2)(i) of this section, OSHRC shall make reasonable efforts to ensure that the record is accurate, complete, timely and relevant.

    (6) Anticipated legal action. Nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

    (c) Accounting of disclosures—(1) OSHRC shall maintain an accurate accounting of each disclosure, except for any disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this section.

    (2) When an accounting is required under paragraph (c)(1) of this section, the following information shall be recorded: The date, nature, and purpose of each disclosure of a record to any person or to another agency, and the name and address of the person or agency to whom the disclosure is made.

    (3) The accounting shall be maintained for at least five (5) years after disclosure or for the life of the record, whichever is longer.

    (4) The accounting shall be made available to the individual named in the record upon inquiry, except for disclosures made pursuant to paragraph (b)(2)(viii) of this section relating to law enforcement activities. See § 2400.6 for suggested form of request.

    Notification.

    (a) Notification of systems. The following procedures permit individuals to determine the types of systems of records maintained by OSHRC.

    (1) Upon written request, OSHRC shall notify any individual whether a specific system named by him contains a record pertaining to him. See § 2400.6 for suggested form of request.

    (2) Upon establishing or revising a system of records, OSHRC shall publish in the Federal Register a notice of the existence and character of the system of records. This notice shall contain the following information:

    (i) System name and location;

    (ii) Security classification;

    (iii) Categories of individuals covered by the system;

    (iv) Categories of records in the system;

    (v) Authority for maintenance of the system;

    (vi) Purpose(s) of the system;

    (vii) Routine uses of records maintained in the system, including categories of users and the purpose(s) of such uses;

    (viii) Disclosures to consumer reporting agencies;

    (ix) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system;

    (x) System manager(s) and address;

    (xi) Procedures by which an individual can be informed whether a system contains a record pertaining to himself, gain access to such record, and contest the content, accuracy, completeness, timeliness, relevance and necessity for retention of the record;

    (xii) Record source categories; and

    (xiii) Exemptions claimed for the system.

    (3) OSHRC shall submit a report, in accordance with guidelines provided by the Office of Management and Budget (OMB), in order to give advance notice to the Committee on Government Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and OMB of any proposal to establish a new system of records or to significantly change an existing system of records.

    (b) Notification of disclosure. OSHRC shall make reasonable efforts to serve notice on an individual before any record pertaining to the individual is made available to any person under compulsory legal process when such process becomes a matter of public record.

    (c) Notification of amendment—(1) OSHRC shall inform any person or other agency about any correction or notation of dispute made by OSHRC to any record that has been disclosed to the person or agency, if the correction or notation was made pursuant to § 2400.8, and an accounting of the disclosure was made pursuant to § 2400.4(c).

    (2) In any disclosure to a person or other agency containing information about which the individual has filed a statement of disagreement and occurring after the statement was filed, OSHRC shall clearly note any portion of the record which is disputed and provide copies of the statement and, if OSHRC deems appropriate, copies of a concise statement of OSHRC's reasons for not making the requested amendments.

    (d) Notification of new routine use. Any new or revised routine use of a system of records maintained by OSHRC shall be published in the Federal Register thirty (30) days before such use becomes operational. Interested persons may then submit written data, views, or arguments to OSHRC.

    (e) Notification of exemptions. OSHRC shall publish in the Federal Register its intent to exempt any system of records and shall specify the nature and purpose of that system.

    Procedures for requesting records.

    The purpose of this section is to provide procedures by which an individual may gain access to his records.

    (a) Submission of requests for access—(1) Manner. An individual seeking information regarding the contents of records systems or access to records about himself in a system of records should present a written request to that effect either in person or by mail to the Privacy Officer, OSHRC, One Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.

    (2) Specification of records sought. Requests for access to records shall describe the nature of the record sought, the approximate dates covered by the record, and the system in which the record is thought to be included as described in the “Notification” for that system as published in the Federal Register. The requester should also indicate whether he wishes to review the record in person or obtain a copy by mail. If the information supplied is insufficient to locate or identify the record, the requester shall be notified promptly and, if necessary, informed of additional information required.

    (3) Period for response. Upon receipt of an inquiry the Privacy Officer shall respond promptly to the request and no Start Printed Page 57424later than 10 working days from receipt of such inquiry.

    (b) Verification of identity. The following standards are applicable to any individual who requests records concerning himself:

    (1) An individual seeking access to records about himself in person may establish his identity by the presentation of a single document bearing a photograph (such as a passport, employee identification card, or valid driver's license) or by the presentation of two items of identification which do not bear a photograph but do bear both a name and address (such as a valid driver's license, or credit card).

    (2) An individual seeking access to records about himself by mail shall establish his identity by a signature, address, date of birth, place of birth, employee identification number, if any, and one other identifier such as a photocopy of an identifying document.

    (3) An individual seeking access to records about himself by mail or in person who cannot provide the necessary documentation of identification may provide a notarized statement, or a declaration in accordance with 28 U.S.C. 1746, swearing or affirming to his identity and to the fact that he understands the penalties for false statements pursuant to 18 U.S.C. 1001. Forms for notarized statements may be obtained on request from the Privacy Officer.

    (c) Verification of guardianship. The parent or guardian of a minor or a person judicially determined to be incompetent and seeking to act on behalf of such minor or incompetent shall, in addition to establishing his own identity, establish the identity of the minor or other person he represents as required in paragraph (b) of this section and establish his own parentage or guardianship of the subject of the record by furnishing either a copy of a birth certificate showing parentage or a court order establishing the guardianship.

    (d) Accompanying persons. An individual seeking to review records about himself may be accompanied by another individual of his own choosing. Both the individual seeking access and the individual accompanying him shall be required to sign a form provided by OSHRC indicating that OSHRC is authorized to discuss the contents of the subject record in the presence of both individuals.

    (e) When compliance is possible—(1) The Privacy Officer shall inform the requester of the determination to grant the request and shall make the record available to the individual in the manner requested, that is, either by forwarding a copy of the information to him or by making it available for review, unless:

    (i) It is impracticable to provide the requester with a copy of a record, in which case the requester shall be so notified, and, in addition, be informed of the procedures set forth in paragraph (b) of this section, or

    (ii) The Privacy Officer has reason to believe that the cost of a copy of a record is considerably more expensive than anticipated by the requester, in which case he shall notify the requester of the estimated cost, and ascertain whether the requester still wishes to be provided with a copy of the information.

    (2) Where a record is to be reviewed by the requester in person, the Privacy Officer shall inform the requester in writing of:

    (i) The date on which the record shall become available for review, the location at which it may be reviewed, and the hours for inspection;

    (ii) The type of identification that shall be required in order for him to review the record;

    (iii) Such person's right to have a person of his own choosing accompany him to review the record; and

    (iv) Such person's right to have a person other than himself review the record.

    (3) If the requester seeks to inspect the record without receiving a copy, he shall not leave OSHRC premises with the record and shall sign a statement indicating he has reviewed a specific record or category of record.

    (f) Response when compliance is not possible. A reply denying a written request to review a record shall be in writing signed by the Privacy Officer and shall be made only if such a record does not exist or does not contain personal information relating to the requester, or is exempt. This reply shall include a statement regarding the determining factors of denial, and the requester's rights to administrative appeal and thereafter judicial review in a district court of the United States.

    Special procedures for requesting medical records.

    (a) Upon an individual's request for access to his medical records, including psychological records, the Privacy Officer shall make a preliminary determination on whether access to such records could have an adverse effect upon the requester. If the Privacy Officer determines that access could have an adverse effect on the requester, OSHRC shall notify the requester in writing and advise that the records at issue can be made available only to a physician of the requester's designation. Upon receipt of such designation, verification of the identity of the physician, and agreement by the physician to review the documents with the requesting individual, to explain the meaning of the documents, and to offer counseling designed to temper any adverse reaction, OSHRC shall forward such records to the designated physician.

    (b) If, within sixty (60) days of OSHRC's written request for a designation, the requester has failed to respond or designate a physician, or the physician fails to agree to the release conditions, then OSHRC shall hold the documents in abeyance and advise the requester that this action may be construed as a technical denial. OSHRC shall also advise the requester of his rights to administrative appeal and thereafter judicial review in a district court of the United States.

    Procedures for requesting amendment.

    (a) Submission of requests for amendment. Upon review of an individual's personal record, that individual may submit a request to amend such record. This request shall be submitted in writing to the Privacy Officer and shall include a statement of the amendment requested and the reasons for such amendment, e.g., relevance, accuracy, timeliness or completeness of the record.

    (b) Action to be taken by the Privacy Officer. Upon receiving an amendment request, the Privacy Officer shall promptly:

    (1) Acknowledge in writing within ten (10) working days the receipt of the request;

    (2) Make such inquiry as is necessary to determine whether the amendment is appropriate; and

    (3) Correct or eliminate any information that is found to be incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or untimely and notify the requester when this action is complete; or

    (4) Notify the requester of a determination not to amend the record, of the reasons for the refusal, and of the requester's right to appeal in accordance with § 2400.9.

    Procedures for appealing.

    (a) Submission of appeal—(1) If a request to inspect, copy or amend a record is denied, in whole or in part, or if no determination is made within the period prescribed by this part, then the requester may appeal to the Chairman, Attn: Privacy Appeal, OSHRC, One Start Printed Page 57425Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.

    (2) The requester shall submit his appeal in writing within thirty (30) days of the date of denial, or within ninety (90) days of such request if the appeal is from a failure of the Privacy Officer to make a determination. The letter of appeal should include, as applicable:

    (i) Reasonable identification of the record to which access was sought or the amendment of which was requested.

    (ii) A statement of the OSHRC action or failure to act being appealed and the relief sought.

    (iii) A copy of the request, the notification of denial and any other related correspondence.

    (b) Final decisions. The Chairman shall make his final decision not later than thirty (30) working days from the date of the request, unless he extends the time for good cause to be shown by him but not to exceed ninety (90) days from the date of the request. Any record found on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall within thirty (30) working days of the date of such findings be appropriately amended.

    (c) Decision requirements. The decision of the Chairman constitutes the final decision of OSHRC on the right of the requester to inspect, copy, change or update a record. The decision on the appeal shall be in writing and, in the event of a denial, shall set forth the reasons for such denial and state the individual's right to obtain judicial review in a district court of the United States. An indexed file of the agency's decisions on appeal shall be maintained by the Privacy Officer.

    (d) Submission of statement of disagreement. If the final decision does not satisfy the requester, then any statement of reasonable length, provided by that individual, setting forth a position regarding the disputed information, shall be accepted and included in the relevant record.

    Schedule of fees.

    (a) Policy. The purpose of this section is to establish fair and equitable fees to permit reproduction of records for concerned individuals.

    (b) Reproduction—(1) For the fees associated with reproduction of records, refer to Appendix A to part 2201, Schedule of Fees.

    (2) OSHRC shall not normally furnish more than one copy of any record.

    (c) Limitations. No fee shall be charged to any individual for the process of retrieving, reviewing, or amending records.

    End Part End Supplemental Information

    [FR Doc. 06-8399 Filed 9-27-06; 1:19 pm]

    BILLING CODE 7600-01-P

Document Information

Effective Date:
9/29/2006
Published:
09/29/2006
Department:
Occupational Safety and Health Review Commission
Entry Type:
Rule
Action:
Final rule.
Document Number:
06-8399
Dates:
Effective September 29, 2006.
Pages:
57416-57425 (10 pages)
Topics:
Administrative practice and procedure, Archives and records, Government employees, Privacy
PDF File:
06-8399.pdf
CFR: (10)
29 CFR 2400.1
29 CFR 2400.2
29 CFR 2400.3
29 CFR 2400.4
29 CFR 2400.5
More ...