-
Start Preamble
Start Printed Page 65221
AGENCY:
Occupational Safety and Health Review Commission.
ACTION:
Final rule.
SUMMARY:
The Occupational Safety and Health Review Commission (OSHRC) is amending its regulations implementing the Privacy Act of 1974. The amendments to the Privacy Act regulations, which were last revised in 2006, are intended to both modernize the regulations and make them simpler to understand.
DATES:
Effective October 15, 2020.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Ron Bailey, Attorney Advisor, Office of General Counsel, by telephone at (202) 606-5410 or by email at rbailey@oshrc.gov.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Revisions to Part 2400
OSHRC's regulations implementing the Privacy Act, 29 CFR part 2400, were promulgated on January 19, 1979, 44 FR 3968, and revised on April 30, 1993, 58 FR 26065, and September 29, 2006, 71 FR 57421. OSHRC is revising these regulations to both modernize and streamline them. For the convenience of the reader, OSHRC has reproduced the regulations and their revisions in their entirety.
Throughout part 2400, OSHRC is revising language primarily to (1) clarify whether the word “days” refers to working days or calendar days and to eliminate numbers written as words; (2) eliminate exclusive use of male pronouns and, where possible, minimize the use of gender-specific pronouns; (3) use the phrase “personal records” where appropriate to refer to records that are about an individual; (4) streamline or clarify sentences without changing substantive requirements; and (5) account for deleted or renumbered provisions referenced in this part. Additional amendments to part 2400 are discussed below in regulatory sequence.
In 29 CFR 2400.1 (Purpose and scope), OSHRC is making several amendments to clarify what part 2400 covers. In 2006, OSHRC amended this provision to state that “[t]his part is applicable only to records that are maintained by the Occupational Safety and Health Review Commission . . . except for records that are disclosed to consumer reporting agencies under section 3711(e) of title 31, United States Code.” The statutory requirement, 5 U.S.C. 552a(m), simply states that a consumer reporting agency to which records are disclosed is not considered a government contractor. To clarify that point, OSHRC is deleting the clause that pertains to consumer reporting agencies and adding the following sentence: “For purposes of this part, such contractors do not include any consumer reporting agency to which a record is disclosed under 31 U.S.C. 3711(e).”
OSHRC is also revising the last two sentences of 29 CFR 2400.1 to read as follows: “This part does not affect discovery in adversary proceedings before the Commission. Discovery is governed by the Commission's Rules of Procedures in 29 CFR part 2200, subpart D.” This is the same language that is used in 29 CFR 2400.1, the purpose and scope provision of the agency's FOIA regulations.
In 29 CFR 2400.2 (Description of agency), OSHRC is revising this section to make it identical to 29 CFR 2201.2, the agency's comparable FOIA provision.
In 29 CFR 2400.3 (Delegation of authority), OSHRC is adding the following requirement: “As necessary, the Privacy Officer shall coordinate this delegated responsibility with the Senior Agency Official for Privacy” (SAOP). According to OMB, “[t]he SAOP shall have a central role in overseeing, coordinating, and facilitating the agency's privacy compliance efforts. In this role, the SAOP shall ensure that the agency complies with applicable privacy requirements in law, regulation, and policy.” Role and Designation of Senior Agency Officials for Privacy, OMB Memorandum 16-24 (Sept. 15, 2016). In order for the SAOP to adequately fulfill these requirements, it is necessary for the Privacy Officer to coordinate with the SAOP on Privacy Act issues.
OSHRC is deleting paragraph (b) of 29 CFR 2400.3 (Delegation of authority), as well as 29 CFR 2400.4 (Collection and disclosure of personal information), because these sections are unnecessary under 5 U.S.C. 552a(f), the statutory provision requiring agencies that maintain systems of records to promulgate rules that establish procedures to implement certain aspects of the Privacy Act. Moreover, the requirements being deleted are either already specified in the Privacy Act, 5 U.S.C. 552a(b), (c), and (e), or are more appropriately addressed in the agency's system-of-records notices, 5 U.S.C. 552a(e).
OSHRC is deleting paragraphs (a) and (b) of 29 CFR 2400.5 (Notification) and moving paragraph (c)—which addresses notification of persons or other agencies who have received Privacy Act records that have subsequently been amended—to a new section that concerns procedures for statements of disagreement and notification of amendment (new 29 CFR 2400.8). Also, OSHRC is incorporating the requirements set forth in paragraph (a)(1), which pertain to written requests for notification on whether a system contains records about the requester, into the section that concerns procedures for requesting records (current 29 CFR 2400.6, new 29 CFR 2400.4).
OSHRC is revising current 29 CFR 2400.6 to specify that the procedures included in this section apply to requests for notification of a system of records' content, as well as requests for access to records. OSHRC also is including an additional method for requesting notification of or access to records—submitting requests to the FOIA Disclosure Officer in accordance with the procedures set forth at 29 CFR 2201.5(a)—to provide an alternative to mail or in-person visits. As to the paragraph concerning “verification of identity,” OSHRC is revising to simplify the verification requirements and to eliminate verification by a notarized statement, which is unnecessary given that verification can be accomplished by declaration in accordance with 28 U.S.C. 1746. Finally, to better reflect the contents of this section, OSHRC is revising the section heading as follows: “Procedures for requesting notification of and access to personal records.”
OSHRC is revising current 29 CFR 2400.7 to divide the requirements in paragraph (a) into two separate paragraphs. New paragraph (a) focuses on the Privacy Officer's responsibilities, once a Privacy Act request concerning medical records is received, and new paragraph (b) focuses on the requirements that must be satisfied before records are forwarded to a designated physician.
OSHRC is revising paragraph (a) of current 29 CFR 2400.8 to clarify that requests to amend records should be requested in the same manner as requests for notification of and access to records. Although no substantive changes are being made to paragraph (b), it is being revised to clarify the Privacy Officer's responsibilities, including explicitly specifying that the requester must be notified in writing how an amendment request has been resolved. Finally, OSHRC is revising the section heading as follows: “Procedures for amending personal records.”
OSHRC is revising paragraph (a) of current 29 CFR 2400.9 to clarify that the Start Printed Page 65222denial of “a request to provide notification of a record, or to access or amend a record”—in other words, request denials under new §§ 2400.4, 2400.5 and 2400.6—can be appealed to the Chairman. OSHRC also is revising paragraph (b) to require that the requester be notified, within the initial 30 working-day period for making a final decision, if the Chairman has extended the time period for good cause. In addition, OSHRC is moving paragraph (d) to a new section that concerns procedures for statements of disagreement and notification of amendment (new 29 CFR 2400.8).
OSHRC is adding new 29 CFR 2400.8, which has the heading, “Procedures for statements of disagreement and notification of amendment.” The requirements for this new provision are presently included in paragraph (c) of 29 CFR 2400.5 and paragraph (d) of 29 CFR 2400.9. OSHRC is revising these paragraphs for clarification purposes, none of which change the substantive requirements.
The deletion of current 29 CFR 2400.4 and 29 CFR 2400.5, and the addition of new 29 CFR 2400.8, results in current §§ 2400.6, 2400.7, 2400.8, and 2400.9 being re-designated as §§ 2400.4, 2400.5, 2400.6, and 2400.7, and current § 2400.10 being re-designated as § 2400.9.
II. Statutory and Executive Order Reviews
Executive Orders 12866 and 13132, and the Unfunded Mandates Reform Act of 1995: OSHRC is an independent regulatory agency and, as such, is not subject to the requirements of E.O. 12866, E.O. 13132, or the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.
Regulatory Flexibility Act: The Chairman of OSHRC certifies under the Regulatory Flexibility Act, 5 U.S.C. 605(b), that these rules will not have a significant economic impact on a substantial number of small entities. The only provision in part 2400 that could economically impact a small entity pertains to how OSHRC charges its Privacy Act fees, and that provision is not being revised. Moreover, when fees are assessed, the amounts are generally minimal; and it is not anticipated that the amendments to other provisions within part 2400 will have much affect (if any) on the number of entities responsible for paying Privacy Act fees or the amounts of those fees. Finally, the Privacy Act's protections apply to “individuals,” which typically would not include “small entities.” For these reasons, a regulatory flexibility analysis is not required.
Paperwork Reduction Act of 1995: OSHRC has determined that the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., does not apply because these rules do not contain any information collection requirements that require the approval of OMB.
Congressional Review Act: These revisions do not constitute a “rule,” as defined by the Congressional Review Act, 5 U.S.C. 804(3)(C), because they involve changes to agency organization, procedure, or practice that do not substantially affect the rights or obligations of non-agency parties.
Start List of SubjectsList of Subjects in 29 CFR Part 2400
- Privacy
James J. Sullivan, Jr.,
Chairman.
For the reasons set forth in the preamble, OSHRC revises 29 CFR part 2400 to read as follows:
Start PartPART 2400—REGULATIONS IMPLEMENTING THE PRIVACY ACT
End Part- 2400.1
- Purpose and scope.
- 2400.2
- Description of agency.
- 2400.3
- Delegation of authority.
- 2400.4
- Procedures for requesting notification of and access to personal records.
- 2400.5
- Special procedures for requesting medical records.
- 2400.6
- Procedures for amending personal records.
- 2400.7
- Procedures for appealing.
- 2400.8
- Procedures for statements of disagreement and notification of amendment.
- 2400.9
- Schedule of fees.
Purpose and scope.This part provides procedures to implement the Privacy Act of 1974, 5 U.S.C. 552a. It is applicable only to records that are maintained by the Occupational Safety and Health Review Commission (OSHRC or the Commission), which includes all systems of records operated by an entity on behalf of OSHRC, pursuant to a contract, to accomplish an agency function. For purposes of this part, such contractors do not include any consumer reporting agency to which a record is disclosed under 31 U.S.C. 3711(e). This part does not affect discovery in adversary proceedings before the Commission. Discovery is governed by the Commission's Rules of Procedures in 29 CFR part 2200, subpart D.
Description of agency.OSHRC adjudicates contested enforcement actions under the Occupational Safety and Health Act of 1970, 29 U.S.C. 651-678. The Commission decides cases after the parties are given an opportunity for a hearing. All hearings are open to the public and are conducted at a place convenient to the parties by an Administrative Law Judge. Any Commissioner may direct that a decision of a Judge be reviewed by the full Commission. The President designates one of the Commissioners as Chairman, who is responsible on behalf of the Commission for the administrative operations of the Commission.
Delegation of authority.The Chairman shall designate an OSHRC employee as the Privacy Officer and shall delegate to the Privacy Officer the authority to ensure agency-wide compliance with this part. As necessary, the Privacy Officer shall coordinate this delegated responsibility with the Senior Agency Official for Privacy.
Procedures for requesting notification of and access to personal records.The purpose of this section is to provide procedures by which an individual may request notification about whether a system of records contains a record about that individual (“a personal record”), or may gain access to such a record included in a system of records.
(a) Submission of requests—(1) Manner. An individual seeking information regarding the content of a system of records or access to a personal record in a system of records should submit a written request either in person or by mail to the Privacy Officer, OSHRC, One Lafayette Centre, 1120 20th Street NW, Ninth Floor, Washington, DC 20036-3457. A request may also be submitted to the FOIA Disclosure Officer in accordance with the procedures set forth at 29 CFR 2201.5(a). Such a request, however, must be identified as a “Privacy Act Request.” The FOIA Disclosure Officer will forward any request identified in this manner to the Privacy Officer for processing.
(2) Notification requests. A request for notification about whether a system of records contains a personal record must specify which system of records, as described in the agency's system-of-records notices published in Federal Register, is the subject of the request.
(3) Access requests. A request for access to a personal record shall Start Printed Page 65223describe the nature of the record sought, the approximate dates covered by the record, and the system of records in which the record is thought to be included as described in the agency's system-of-records notices published in the Federal Register. The request should also indicate whether the requester wishes to review the record in person or obtain a copy by mail. If the information supplied is insufficient to locate or identify the record, the requester shall be notified promptly and, if necessary, informed of the additional information required.
(b) Period for response. After receiving a request, the Privacy Officer shall respond to it no later than 10 working days from the request's receipt.
(c) Verification of identity. The following standards for verifying an individual's identity are applicable to any individual who requests a personal record under this part:
(1) An individual seeking access to a record in person shall, if possible, present a government-issued identification that includes a photo, such as a passport or a driver's license.
(2) An individual seeking access to a record by mail shall, if possible, provide a signature, address, date of birth, place of birth, and a photocopy of a government-issued identification that includes a photo, such as a passport or a driver's license.
(3) An individual seeking access to a record either by mail or in person who cannot provide the necessary documentation of identification specified in paragraphs (c)(1) and (2) of this section may provide a declaration in accordance with 28 U.S.C. 1746, swearing or affirming to his or her identity and to the fact that he or she understands the penalties for false statements pursuant to 18 U.S.C. 1001.
(d) Verification of guardianship. The parent or guardian of a minor or an individual judicially determined to be incompetent and seeking to act on behalf of such minor or incompetent shall, in addition to establishing his or her own identity, establish the identity of the minor or other individual he or she represents as required in paragraph (c) of this section and establish his or her own parentage or guardianship of the subject of the record by furnishing either a copy of a birth certificate showing parentage or a court order establishing the guardianship.
(e) Accompanying persons. An individual seeking to review a personal record in person may be accompanied by another individual of his or her own choosing. Both the individual seeking access and the accompanying individual shall be required to sign a form provided by OSHRC indicating that OSHRC is authorized to discuss the contents of the subject record in the presence of both individuals.
(f) When compliance is possible. (1) The Privacy Officer shall inform the requester of the determination to grant the request and shall make the personal record available to the individual in the manner requested, that is, either by forwarding a copy of the information to the requester or by making it available for review, unless:
(i) It is impracticable to provide the requester with a copy, in which case the requester shall be notified of this and informed of the procedures set forth in paragraph (c) of this section, or
(ii) The Privacy Officer has reason to believe that the cost of a copy is considerably more expensive than anticipated by the requester, in which case the Privacy Officer shall notify the requester of the estimated cost, and ascertain whether the requester still wishes to be provided with a copy of the information.
(2) Where a personal record is to be reviewed by the requester in person, the Privacy Officer shall inform the requester in writing of:
(i) The date on which the record shall become available for review, the location at which it may be reviewed, and the hours for inspection;
(ii) The requirements for verifying identity as set forth in paragraphs (c) and (d);
(iii) The requester's right to be accompanied by another individual to review the record as set forth in paragraph (e) of this section; and
(iv) The requester's right to have another individual review the record.
(3) If the requester seeks to inspect the personal record without receiving a copy, the requester shall not leave OSHRC premises with the record and shall sign a statement identifying the specific record or category of records that has been reviewed.
(g) When compliance is not possible. The denial of a written request to review a personal record shall be sent to the requester in writing and signed by the Privacy Officer. This response shall be provided when the requested record does not exist, does not contain personal information relating to the requester, or is exempt. The response shall include a statement regarding the determining factors of denial, and the requester's rights to administrative appeal and, thereafter, judicial review in a district court of the United States.
Special procedures for requesting medical records.(a) Upon an individual's request for access to any medical record about the requester, including any psychological record, the Privacy Officer shall make a preliminary determination on whether access to such record(s) could have an adverse effect upon the requester. If the Privacy Officer determines that access could have an adverse effect on the requester, OSHRC shall notify the requester in writing and advise that the record(s) at issue can be made available only to a physician of the requester's designation.
(b) OSHRC shall forward such record(s) to the physician designated by the requester once the following requirements are met:
(1) The requester has informed OSHRC of the designated physician's identity;
(2) OSHRC has verified the identity of the physician; and
(3) The physician has agreed to review the record(s) with the requester to both explain the meaning of the record(s) and offer counseling designed to temper any adverse reaction.
(c) If, within 60 calendar days of OSHRC's written request for a designation, the requester has failed to respond or designate a physician, or the physician fails to agree to the release conditions, then OSHRC shall hold the records(s) in abeyance and advise the requester that this action may be construed as a technical denial. OSHRC shall also advise the requester of his or her rights to administrative appeal and, thereafter, judicial review in a district court of the United States.
Procedures for amending personal records.(a) Submission of requests for amendment. Upon review of an individual's personal record, that individual may submit a request to amend such record. This request shall be submitted in writing to the Privacy Officer, in accordance with § 2400.4(a)(1)'s procedures, and shall include a statement of the amendment requested and the reasons for such amendment, e.g., relevance, accuracy, timeliness or completeness of the record.
(b) Action to be taken by the Privacy Officer. Upon receiving an amendment request, the Privacy Officer shall promptly:
(1) Acknowledge in writing within 10 working days the receipt of the request;
(2) Make such inquiry as is necessary to determine whether the amendment is appropriate; and
(3) Resolve the request by either:Start Printed Page 65224
(i) Correcting or eliminating any information that is found to be incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or untimely and notifying the requester in writing when this action is complete; or
(ii) Notifying the requester in writing of a determination not to amend the personal record, including the reasons for the denial, and advising the requester of his or her right to appeal in accordance with § 2400.7.
Procedures for appealing.(a) Submission of appeal. (1) If a request to provide notification of a personal record, or to access or amend a personal record, is denied either in whole or in part, or if no determination is made within the period prescribed by this part, then the requester may appeal in writing to the Chairman by mailing an appeal letter to the following address: Privacy Appeal, OSHRC, One Lafayette Centre, 1120 20th Street NW, Ninth Floor, Washington, DC 20036-3457.
(2) To be considered timely, the requester must submit the appeal letter within 30 calendar days of the date of denial, or within 90 calendar days of his or her request if the appeal is from a failure of the Privacy Officer to make a determination. The appeal letter should include, as applicable:
(i) Reasonable identification of the system to which notification was sought, the personal record to which access was sought, or the amendment that was requested.
(ii) A statement of the OSHRC action or failure to act being appealed and the relief sought.
(iii) A copy of the request, the notification of denial, and any other related correspondence.
(b) Final decisions. The Chairman must make a final decision no later than 30 working days from the date of the request, but the Chairman may extend this time period for good cause. The requester, however, must be notified of the extension within the initial 30 working-day period, and the extension may not exceed 90 calendar days from the date of the request. Any personal record found on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall within 30 working days of the date of such findings be appropriately amended.
(c) Decision requirements. The decision of the Chairman constitutes the final decision of OSHRC on the right of the requester to be notified of, or to access or amend, a personal record. The decision on the appeal shall be in writing and, in the event of a denial, shall set forth the reasons for such denial and state the individual's right to obtain judicial review in a district court of the United States. An indexed file of the agency's decisions on appeal shall be maintained by the Privacy Officer.
Procedures for statements of disagreement and notification of amendment.(a) Submission of statement of disagreement. If a final decision concerning an amendment request does not satisfy the requester, then the requester may provide a statement of disagreement that is of reasonable length and sets forth a position regarding the disputed information. This statement of disagreement shall be accepted by OSHRC and included in the relevant personal record. If deemed appropriate, OSHRC may also include a concise statement in the record of its reasons for not making a requested amendment.
(b) Notification of amendment and statement of disagreement. (1) OSHRC shall inform any person or other agency about an amendment to a personal record, or notation made to the record under paragraph (a) of this section, if that record has been disclosed to the person or agency, the amendment or notation was made pursuant to this part, and an accounting of the disclosure was made pursuant to 5 U.S.C. 552a(c).
(2) When a personal record is disclosed to a person or other agency after a notation under paragraph (a) of this section is made to the record, OSHRC shall clearly note any portion of the record that is disputed and provide a copy of any notation included in the record.
Schedule of fees.(a) Policy. The purpose of this section is to establish fair and equitable fees to permit reproduction of personal records for concerned individuals.
(b) Reproduction. (1) For the fees associated with reproduction of personal records, refer to appendix A to part 2201, Schedule of Fees.
(2) OSHRC shall not normally furnish more than one copy of any record.
(c) Limitations. No fee shall be charged to any individual for the process of retrieving, reviewing, or amending personal records.
[FR Doc. 2020-21011 Filed 10-14-20; 8:45 am]
BILLING CODE 7600-01-P
Document Information
- Effective Date:
- 10/15/2020
- Published:
- 10/15/2020
- Department:
- Occupational Safety and Health Review Commission
- Entry Type:
- Rule
- Action:
- Final rule.
- Document Number:
- 2020-21011
- Dates:
- Effective October 15, 2020.
- Pages:
- 65221-65224 (4 pages)
- Topics:
- Privacy
- PDF File:
- 2020-21011.pdf
- CFR: (9)
- 29 CFR 2400.1
- 29 CFR 2400.2
- 29 CFR 2400.3
- 29 CFR 2400.4
- 29 CFR 2400.5
- More ...