2023-03467. The Commission's Privacy Act Regulations  

  • Start Preamble

    AGENCY:

    Securities and Exchange Commission.

    ACTION:

    Proposed rule.

    SUMMARY:

    The Securities and Exchange Commission (“Commission” or “SEC”) is proposing amendments to the Commission's regulations under the Privacy Act of 1974, as amended (“Privacy Act”). The proposed amendments would revise the Commission's regulations under the Privacy Act to clarify, update, and streamline the language of several procedural provisions.

    DATES:

    Comments should be received by April 17, 2023.

    ADDRESSES:

    Comments may be submitted by any of the following methods:

    Electronic Comments

    • Use the Commission's internet comment form ( https://www.sec.gov/​rules/​submitcomments.htm);

    • Send an email to rule-comments@sec.gov. Please include File Number S7-03-23 on the subject line; or

    Paper Comments

    • Send paper comments to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

    All submissions should refer to File Number S7-03-23. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post comments on the Commission's website ( https://www.sec.gov/​rules/​proposed.shtml). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Operating conditions may limit access to the Commission's Public Reference Room. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly.

    Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on our website. To ensure direct electronic receipt of such notifications, sign up through the “Stay Connected” option at www.sec.gov to receive notifications by email.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Ray McInerney, FOIA/PA Officer, Office of FOIA Services, (202) 551-6249; Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-5041.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    The Privacy Act is the principal law governing the handling of personal information in the Federal government. It governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by Federal agencies. The Privacy Act also affords individuals a right of access to records pertaining to them and a right to have inaccurate records corrected. The Commission last amended its Privacy Act regulations in 2011.

    In the course of reviewing our regulations under the Privacy Act, we have identified areas where it would be beneficial to clarify, update, and streamline the language of several provisions. Accordingly, we are proposing revisions to our Privacy Act regulations. The proposed revisions include: adding a provision setting forth the process by which individuals may be provided with an accounting of disclosures made by the Commission; adding a provision to codify the existing practice of providing 90 days to file an administrative appeal in response to a denial of a Privacy Act inquiry or request; deleting certain existing provisions that are duplicative and unnecessary; reorganizing certain provisions; and updating the fee provisions.[1] Due to the scope of the proposed revisions, the proposed rule would replace the Commission's current Privacy Act regulations in their entirety (17 CFR 200.301 through 200.313).

    II. Discussion of the Proposed Rule

    A. Proposed Amendments To Update, Clarify, and Streamline the Privacy Act Regulations

    We are proposing to amend certain procedural provisions to clarify, update, and streamline the Commission's regulations.[2] The proposed revisions, among other things: clarify the purpose and scope of the regulations (proposed Section 200.301); update definitions so that the processes set forth in the regulations are more plainly described (proposed 17 CFR 200.302); simplify the processes for submitting and receiving responses to Privacy Act inquiries, requests, and administrative appeals (proposed 17 CFR 200.303, 305, 306, 307, and 308); allow for requesters to electronically verify their identities, including by facsimile, email, or an online Commission form (proposed 17 CFR 200.303); [3] provide for a shorter Commission response time to Privacy Act inquiries as to whether a specific system of records maintained by the Commission contains a record pertaining to the requester, which aligns with other relevant time lines (proposed 17 CFR 200.304); update agency contact information ( e.g., office names, facsimile numbers, email addresses, and physical addresses) (proposed 17 CFR 200.303, 305, 308, and 309); and update the list of Commission systems of records that have promulgated rules exempting certain records from certain provisions of the Privacy Act (proposed 17 CFR 200.310).

    B. Proposed Revisions to Fee Provisions

    The proposed amendments would revise the fee provisions (proposed 17 CFR 200.309) to update the provisions to reflect existing practice. The present rule states that fees for copying documents will be determined by rates set by contract with commercial copiers. Start Printed Page 10484 The proposed amendments would revise the rule to reflect existing practice, which is to apply the duplication fees listed on the Office of FOIA Services' fee page on the Commission's website. The duplication fees currently posted on the website reflect the direct costs to the Commission of producing a copy, whether in paper or electronic format, taking into account various factors including the salary of the employee(s) performing the work and the cost of materials. The Office of FOIA Services does not charge for providing existing electronic records because such a production does not require processes, such as copying or scanning, that impose direct costs on the Commission. The duplication fee posted on the Commission's website is adjusted as appropriate to reflect current costs.

    The proposed amendments also would codify the existing practice of charging requesters the direct costs associated with making records available on electronic storage devices, as reflected on the Commission's FOIA fee website. Further, the proposed amendments would allow for providing requesters with one free copy of each record amended or corrected pursuant to a request for amendment or correction.

    C. Proposed Elimination of Certain Provisions

    The proposed amendments would eliminate two Sections of the existing regulations in their entirety. The proposed amendments also would eliminate certain other provisions within the existing regulations. The deleted provisions restate language in the Privacy Act, and thus do not require elaboration in the Commission's regulations; have been incorporated into other provisions within the proposed rule; or are otherwise unnecessary. The proposed amendments would remove the following:

    Title 17, section 200.305 of the existing rule: This provision, which provides special procedures for requests for medical records, is unnecessary as the medical records the Commission typically maintains, whether about Commission staff or other individuals, are generally available to those individuals through other means, and the Commission has never used special procedures for medical records in connection with Privacy Act requests.

    Title 17, section 200.307(b) of the existing rule: This provision restates the standards applied in reviewing requests for amendment or correction of records. These standards are set forth in the Privacy Act. Therefore, it is unnecessary to restate them in the Commission's regulations.

    Title 17, section 200.309(a): This provision describes the standards for extending time to respond to requests. This section uses language from the Freedom of Information Act (5 U.S.C. 552(a)(6)(B)(iii)) rather than the Privacy Act. Title 17, sections 200.304(d)(1), 304(d)(2)(ii), 307(b), and 309(a)(3) of the proposed rule contain information about extensions of time based on the requirements of the Privacy Act.

    Title 17, sections 200.309(b), (c), (d), and (e) of the existing rule: These provisions are unnecessary as they are not contemplated by the statute, are covered elsewhere in the revised rule, or are obsolete due to changes in technology affecting how Privacy Act requests are processed.

    Title 17, section 200.311 of the existing rule: This provision restates the statutory penalties set forth in the Privacy Act (5 U.S.C. 552a(i)). Accordingly, recitation within Commission regulations is unnecessary.

    D. Proposed Addition of Provisions

    The proposed amendments would add a provision for processing requests by individuals for an accounting of certain record disclosures about the requester, to include the date, nature, and purpose of each disclosure, that the Commission has made available to another person, organization, or agency (proposed 17 CFR 200.307). While the statute allows for individuals to request such an accounting (5 U.S.C. 552a(c)(3)), the Commission's existing rule has no such provision. The proposed amendments would also add a provision that formally implements a 90-day time period for requesters to file administrative appeals (proposed 17 CFR 200.308). The 90-day period is appropriate because Privacy Act requests for access to records are also processed as Freedom of Information Act (“FOIA”) requests and the FOIA sets forth a 90-day deadline to file an administrative appeal. Because of the overlap with FOIA, Privacy Act requesters are currently informed they have 90 days to file an administrative appeal in response to an adverse decision.

    E. Structure of the Proposed Rule

    The structure of the regulations would be revised to read as follows:

    III. General Request for Comments

    We request and encourage any interested person to submit comments on any aspect of the proposals, other matters that might have an impact on the proposals, and suggestions for additional changes. We note that comments are of particular assistance if accompanied by analysis of the issues addressed in those comments and any data that may support the analysis. We urge commenters to be as specific as possible.

    IV. Economic Analysis

    The Commission is sensitive to the economic effects, including the costs and benefits that result from its rules. Section 23(a)(2) of the Securities Exchange Act of 1934 (“Exchange Act”) requires the Commission, in making rules pursuant to any provision of the Exchange Act, to consider among other matters the impact any such rule would have on competition and prohibits any rule that would impose a burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act.[4] Further, Section 3(f) of the Exchange Act requires the Commission, when engaging in rulemaking where it is required to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation.[5] As discussed further below, we preliminarily believe that the economic effects of the proposed amendments would be limited. Where possible, we have attempted to quantify the costs, benefits, and effects on efficiency, competition, and capital formation expected to result from the proposed amendments.

    The proposed amendments fall into four categories: (1) revisions to Start Printed Page 10485 procedural provisions; (2) revisions to certain fee provisions; (3) the elimination of certain unnecessary provisions; and (4) the addition of a new provision for requesting an accounting of record disclosures. We discuss each of these in turn below.

    First, we are proposing amendments to procedural provisions. Most of these changes would codify existing practice, including: (1) adding new methods for submitting Privacy Act inquiries, requests, and administrative appeals; (2) clarifying the existing procedures for submitting requests for information or records about oneself; (3) clarifying certain existing procedures for verification of identity, including options available for in-person or not in-person verification and necessary documentation; (4) clarifying existing procedures for submitting an administrative appeal; (5) codifying the existing practice of providing requesters 90 days to file an administrative appeal; and (6) correctly identifying the Commission systems of records that are exempt under the Privacy Act.[6] We believe that these changes would have minimal impact on Privacy Act requesters because they largely codify existing practices. To the extent the proposed amendments result in these practices being followed more consistently, they could benefit the public and improve efficiency by decreasing the time in which the Commission responds to inquiries, requests, and appeals.

    Furthermore, these amendments may reduce potential confusion among Privacy Act requesters with regard to certain existing procedures, which could further benefit the public. In particular, because Privacy Act requests for access to records are also processed as FOIA requests and the FOIA sets forth a 90-day deadline to file an administrative appeal, Privacy Act requesters are currently informed they have 90 days to file an administrative appeal in response to an adverse decision. We believe that codifying this existing practice would benefit requesters by removing any uncertainty as to when appeals must be filed. In addition, with respect to the provisions on verification of identity, the amendments also explicitly provide for an alternative electronic identification option through processes made available on the Commission's website. By clarifying and supplementing the available options for verification, these amendments may allow requestors to more efficiently choose a verification process that is most appropriate for them. We do not expect the proposed amendments to the procedural provisions to result in additional costs to any member of the public.

    Second, we are proposing to revise the provision concerning fees charged for duplication. This includes: (1) determining duplication fees based on the direct cost to the Commission as set forth on the FOIA fee page on the Commission's website; (2) codifying the existing practice of charging requesters the direct costs associated with making records available on electronic storage devices; and (3) clarifying that requesters will receive one free copy of each record corrected or amended pursuant to a request for amendment.

    The proposed changes to the fee procedures would benefit Privacy Act requesters by removing potential confusion about the cost of obtaining records and the cost of making records available on electronic storage devices. We do not anticipate that any of the proposed changes to the fee procedures would impose significant new costs on Privacy Act requesters or have any other economic impact.

    Prior to July 2018, duplication costs for FOIA and Privacy Act requesters were 24 cents per page as set by contract with a commercial copier. Since that time, duplication costs have been set at 15 cents per page, which reflects the direct cost to the Commission. Duplication fees may change in the future, to the extent that the Commission's direct costs for duplicating materials increase or decrease.

    The table below shows the number of Privacy Act requests processed by the Commission during fiscal years 2015 through 2022 and that, during those years, the Commission collected no fees for processing requests received under the Privacy Act.

    Fiscal yearRequests processedFees collected for processing requests
    2015134$00.00
    201615500.00
    20179500.00
    201828300.00
    201916200.00
    202015900.00
    202125500.00
    202226100.00

    From fiscal years 2015 through 2022 requesters were not charged fees because either no records were provided or the requester was provided with existing electronic records, for which a fee is not charged. There were no requests processed that required production of hard copy records, the scanning of hard copies, or production in another media, such as an electronic storage device, and, consequently, no requests that would have imposed direct costs on the Commission.

    Given the lack of chargeable duplication fees in recent years, the Commission anticipates that the proposed changes to duplication fees (including fees for producing materials in electronic format) would not result in significant additional costs for requesters. Further, these proposed changes largely codify existing practices regarding fees for duplication and production on other types of media and, like the current regulations, do not charge fees for searching or retrieving records.

    The proposed change that clarifies that requesters will receive one free copy of each record corrected or amended pursuant to a request for amendment also codifies an existing practice, and would therefore not impose any additional burden on requesters.

    Third, the Commission is proposing to eliminate certain provisions in its Privacy Act regulations. The Commission does not anticipate that the removal of 17 CFR 200.305 will have any meaningful economic effects. The provision provides special procedures for requests for medical records, but the medical records the Commission typically maintains, whether about Commission staff or other individuals, are generally available to those individuals through other means, and the Commission has never used special procedures for medical records in connection with Privacy Act requests. The Commission does not expect the proposed elimination of 17 CFR 200.307(b) and 200.311 to result in any economic effects because they restate language in the Privacy Act.

    There would also be minimal economic effects from the proposed elimination of 17 CFR 200.309(a), which describes the standards for extending time to respond to requests, because other provisions in the proposed rule (17 CFR 200.304(d), 200.306(b), and 200.307(d)) address the procedures and reasons for extending the time to respond to inquiries and requests. Similarly, the Commission does not expect the proposed elimination of 17 CFR 200.309(c) and 200.309(d) to result in meaningful economic effects. These provisions require giving notice to a requester when delay will result from the fact that the subject records are in Start Printed Page 10486 use by a member of the Commission or its staff and when records are lost. The proposed rule would require the Office of FOIA Services to notify requesters of reasons for delay and of the fact that a record does not exist, so the specific information in 17 CFR 200.309(c) and 200.309(d) is duplicative.

    The proposed elimination of 17 CFR 200.309(b) would remove the concept of an “effective date of action” as it relates to mailing acknowledgements or responses by the Commission. This proposed amendment could increase the Commission's flexibility in acknowledging or responding to requests while also potentially increasing uncertainty for requesters, but these effects would only be realized to the extent that requesters and the Commission rely on mail to make and respond to requests, and the Commission expects that use of mail will be infrequent going forward because most communications occur by email.

    The proposed elimination of 17 CFR 200.309(e)(1), which prohibits oral requests, would have no substantive effect, because the existing regulations, like the proposed amendments, elsewhere require Privacy Act requests to be made in writing. The elimination of 17 CFR 200.309(e)(2), which states that a misdirected request will be deemed received only once it is received by a Privacy Act Officer and that an appeal will not be considered unless the request was in fact received by a Privacy Act Officer, would remove an unnecessary provision because the proposed rules in 17 CFR 200.303(a) and 200.305(a) have the same effect by requiring that requesters use the methods described in the proposed rules to submit a Privacy Act inquiry or request.

    Finally, the Commission is proposing to add a provision outlining the procedure for making requests for an accounting of record disclosures. The existing rules do not provide for such a procedure, although the public's right to make such a request is contemplated by the statute. 5 U.S.C.552a(c)(3). This provision would reduce the potential confusion among Privacy Act requesters about the exact procedure that they would have to follow with regard to this type of request, and therefore this provision would generally benefit the public. Furthermore, by providing clarity about the procedure that would have to be followed when requesting an accounting of record disclosure, the provision would likely reduce the cost to the public of submitting this type of request.

    The Commission preliminarily believes that the proposed amendments would not have any significant impact on competition or capital formation. The proposed amendments may result in a slight improvement in operational efficiency, to the extent that they decrease the time in which the Commission responds to inquiries, requests, and appeals. The Commission requests comment on all aspects of the benefits and costs of the proposal, including any anticipated impacts on efficiency, competition, or capital formation.

    V. Regulatory Flexibility Act Certification

    Section 3(a) of the Regulatory Flexibility Act of 1980 requires the Commission to undertake an initial regulatory flexibility analysis of the effect of the proposed rule amendments on small entities unless the Commission certifies that the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. As discussed above, most of the proposed changes are procedural. Many of the changes codify existing practices and are therefore unlikely to have any economic impact on requesters. With respect to the changes to the fee schedule, under the Privacy Act, agencies may recover only the cost of duplicating the records processed for requesters. These fees are typically nominal, and the proposed changes to the fee regulations codify existing practice and thus would not have a significant economic impact on a Privacy Act requester. Fees for duplication are identified on the Commission's web page at https://www.sec.gov/​foia/​feesche.htm. In accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Commission certifies that the proposed amendments to the Privacy Act regulations, if adopted, would not have a significant economic impact on a substantial number of small entities. The Commission requests comment regarding the appropriateness of its certification.

    VI. Paperwork Reduction Act

    The proposed rule would not impose any new “collection of information” requirement as defined by the Paperwork Reduction Act of 1995 (“PRA”), 44 U.S.C. 3501 et seq.; nor would it create any new filing, reporting, recordkeeping, or disclosure reporting requirements. Accordingly, we are not submitting the proposed rule to the Office of Management and Budget for review under the PRA.[7] We request comment on whether our conclusion that there are no new collections of information is correct.

    VII. Small Business Regulatory Enforcement Fairness Act

    Under the Small Business Regulatory Enforcement Fairness Act of 1996, a rule is considered “major” where, if adopted, it results or is likely to result in: (i) an annual effect on the economy of $100 million or more (either in the form of an increase or a decrease); (ii) a major increase in costs or prices for consumers or individual industries; or (iii) significant adverse effect on competition, investment, or innovation.[8] We request comment on the potential impact of the proposed rule on the economy on an annual basis, any potential increase in costs or prices for consumers or individual industries, and any potential effect on competition, investment, or innovation. Commenters are requested to provide empirical data and other factual support for their view to the extent possible.

    Statutory Authority and Text of Proposed Rule Amendments

    The amendments contained herein are being proposed under the authority set forth in 5 U.S.C. 552a(f), 552a(j), 552a(k); and 15 U.S.C. 78d-1 and 78w(a).

    Start List of Subjects

    List of Subjects in 17 CFR Part 200

    • Administrative practice and procedure; Privacy Act
    End List of Subjects

    Text of Proposed Amendments

    For the reasons stated in the preamble, the Commission proposes to amend title 17, chapter II of the Code of Federal Regulations as follows:

    Start Part

    PART 200—ORGANIZATION; CONDUCT AND ETHICS; AND INFORMATION AND REQUESTS

    End Part Start Amendment Part

    1. The authority citation for part 200 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 5 U.S.C. 552, 552a, 552b, and 557; 11 U.S.C. 901 and 1109(a); 15 U.S.C. 77c, 77e, 77f, 77g, 77h, 77j, 77o, 77q, 77s, 77u, 77z-3, 77ggg(a), 77hhh, 77sss, 77uuu, 78b, 78c(b), 78d, 78d-1, 78d-2, 78e, 78f, 78g, 78h, 78i, 78k, 78k-1, 78 l, 78m, 78n, 78o, 78o-4, 78q, 78q-1, 78w, 78t-1, 78u, 78w, 78 ll (d), 78mm, 78eee, 80a-8, 80a-20, 80a-24, 80a-29, 80a-37, 80a-41, 80a-44(a), 80a-44(b), 80b-3, 80b-4, 80b-5, 80b-9, 80b-10(a), 80b-11, 7202, and 7211 et seq.;29 U.S.C. 794; 44 U.S.C. 3506 and 3507; Reorganization Plan No. 10 of 1950 (15 U.S.C. 78d nt); sec. Start Printed Page 10487 8G, Pub. L. 95-452, 92 Stat. 1101 (5 U.S.C. App.); sec. 913, Pub. L. 111-203, 124 Stat. 1376, 1827; sec. 3(a), Pub. L. 114-185, 130 Stat. 538; E.O. 11222, 30 FR 6469, 3 CFR, 1964-1965 Comp., p. 36; E.O. 12356, 47 FR 14874, 3 CFR, 1982 Comp., p. 166; E.O. 12600, 52 FR 23781, 3 CFR, 1987 Comp., p. 235; Information Security Oversight Office Directive No. 1, 47 FR 27836; and 5 CFR 735.104 and 5 CFR parts 2634 and 2635, unless otherwise noted.

    End Authority Start Amendment Part

    2. Revise subpart H to read as follows:

    End Amendment Part

    Subpart H—Regulations Pertaining to the Privacy of Individuals and Systems of Records Maintained by the Commission

    200.301
    Purpose and scope.
    200.302
    Definitions.
    200.303
    Procedures for making inquiries and requests for access.
    200.304
    Responses to inquiries and requests for access.
    200.305
    Requests for amendment or correction of records.
    200.306
    Review of requests for amendment or correction.
    200.307
    Requests for an accounting of record disclosures.
    200.308
    Administrative appeals.
    200.309
    Fees.
    200.310
    Specific exemptions.
    200.311
    Inspector General exemptions.
    200.312
    [Reserved]
    Start Authority

    Authority: 5 U.S.C. 552a(f), unless otherwise noted.

    End Authority

    Section 200.310 is also issued under 5 U.S.C. 552a(k).

    Section 200.311 is also issued under 5 U.S.C. 552a(j) and 5 U.S.C. 552a(k).

    Purpose and scope.

    (a) This subpart contains the rules of the Securities and Exchange Commission implementing the Privacy Act of 1974, as amended (Pub. L. 93-579, 5 U.S.C. 552a). These rules are applicable to all records in systems of records maintained by the Commission. They set forth the procedures by which individuals may make an inquiry regarding or request access to records about themselves, request an amendment or correction of those records, and request an accounting of disclosures of those records by the Commission.

    (b) This subpart also lists the Commission systems of records that are exempt from some of the provisions of the Privacy Act of 1974. These exemptions are authorized under the Privacy Act, 5 U.S.C. 552a(j) and (k).

    Definitions.

    In addition to the definitions contained in 5 U.S.C. 552a(a), the following definitions apply in this subpart:

    Commission means the Securities and Exchange Commission.

    Inquiry means a request described in Privacy Act section (f)(1).

    Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 552a).

    Request for access to a record means a request made under Privacy Act section (d)(1).

    Request for amendment or correction of a record means a request made under Privacy Act section (d)(2).

    Request for an accounting means a request made under Privacy Act section (c)(3).

    Requester means an individual who makes an inquiry, a request for access, a request for amendment or correction, or a request for an accounting.

    Procedures for making inquiries and requests for access.

    Requesters seeking to know if a specific system of records maintained by the Commission contains a record pertaining to them may submit an inquiry to the Commission. Requesters may also request access to records pertaining to them in a system of records maintained by the Commission.

    (a) How to make an inquiry or request for access. An inquiry or request for access must be in writing and may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/​forms/​request_​public_​docs. A requester may alternatively submit an inquiry or request for access by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/​oso/​help/​foia-contact.html. Inquiries and requests for access that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

    (b) Information to be included in an inquiry or request for access. Each inquiry or request for access must include information that will assist the Commission in identifying those records the requester is seeking information about or access to. The following information, as relevant, should be submitted with the request: name of the individual whose record is sought; identifying data that will help locate the record ( e.g., maiden name and period or place of employment); and the requester's name, address, telephone number, and email address. Where practicable, the requester should identify the system of records that is the subject of the inquiry or request for access by reference to the Commission's systems of records notices, which are published in the Federal Register . The Commission's systems of records notices can also be found on the Commission's website at https://www.sec.gov/​oit/​system-records-notices. If additional information is required before a request can be processed, the requester will be so advised.

    (c) Verification of identity. A requester making an inquiry or requesting access to a record must verify his or her identity before information is given or access is granted unless the information is required to be disclosed under the Freedom of Information Act (FOIA), 5 U.S.C. 552.

    (1) In-person verification. A requester may appear at any of the Commission offices, which are listed on the Commission's website at https://www.sec.gov/​divisions.shtml, and furnish documentation to establish his or her identity. Such documentation might include a valid driver's license, passport, birth certificate, employee or military identification card, or Medicare card. Sufficiency of the documentation in verifying identity will be determined by the Commission staff member reviewing such documentation.

    (2) Not in-person verification. A requester who does not appear in person must verify his or her identity using one of the following methods:

    (i) A requester may use electronic identity proofing and authentication processes as made available through the Commission's website; or

    (ii) A requester may submit a copy of documentation to establish the requester's identity (examples of such documentation are noted in paragraph (c)(1) of this section).

    (3) Submission of signed statement. For all verification methods, a requester must also submit a statement attesting to the requester's identity and a statement that the requester understands that a knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine. Sample statements and the requirements for completing them are available through the Commission's website.

    (4) Additional procedures for verifying identity. When it appears appropriate, the Commission's Office of FOIA Services may make such other arrangements for the verification of identity as are reasonable under the circumstances and appear to be effective to prevent unauthorized disclosure of, or access to, individual records.

    Start Printed Page 10488
    Responses to inquiries and requests for access.

    (a) Initial review. Inquiries and requests for access will be referred to the Commission's Office of FOIA Services which will make the initial determination as to whether the inquiry or request for access will be granted.

    (b) Grant of inquiry or request for access. If it is determined that an inquiry or request for access will be granted, the requester will be advised in writing. When a request for access is granted, in full or in part, a requester may elect to receive a copy of the requested record electronically, by mail, or in person, and the Office of FOIA Services will comply with that election to the extent practicable.

    (c) Denial of an inquiry or request for access. If it is determined that no response will be given to an inquiry or that a request for access will not be granted, the requester will be notified of that fact in writing and given the reasons for the denial. The requester also will be advised of his or her right to seek review by the Office of the General Counsel of the initial decision in accordance with the procedures set forth in § 200.308.

    (d) Time for acting on inquiries and requests for access. (1) Responses to inquiries. The Office of FOIA Services will endeavor to inform a requester making an inquiry as to whether the named system of records contains a record pertaining to him or her within 10 days (excluding Saturdays, Sundays, and Federal holidays) of receipt of such a request. Whenever a response to an inquiry cannot be made within the 10 days, the Office of FOIA Services will inform the requester of the reasons for the delay and the date by which a response may be anticipated.

    (2) Acknowledgement of and responses to requests for access. (i) Except where the requester appears in person, the Office of FOIA Services will endeavor to acknowledge, in writing, receipt of a request for access within 10 days (excluding Saturdays, Sundays, and Federal holidays) of receipt of such a request.

    (ii) The Office of FOIA Services will endeavor to respond to a request for access to a record pertaining to a requester within 30 days (excluding Saturdays, Sundays, and Federal holidays) after the receipt of the request. If, for good cause shown, a longer period of time is required, the Office of FOIA Services will inform the requester in writing of the reasons for the delay, and indicate when access is expected to be granted or denied.

    (3) Appearance in person. When a requester appears in person at the Commission to make a request for access and the requester provides the required information and verification of identity, the Office of FOIA Services' staff, if practicable, will indicate whether it is likely that the requester will be given access to the records and, if so, when and under what circumstances such access will be given.

    (e) Exclusion for certain records. Nothing contained in these rules allows a requester to obtain access to any records or information compiled in reasonable anticipation of a civil action or proceeding.

    Requests for amendment or correction of records.

    (a) How to a make request for amendment or correction. A written request for amendment or correction of records may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/​forms/​request_​public_​docs. A requester may alternatively submit a request for amendment or correction by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/​oso/​help/​foia-contact.html. Requests that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

    (1) Information to be included in requests for amendment or correction. Each request for amendment or correction must reasonably describe the record sought to be amended or corrected. Such description should include, for example, relevant names, dates, and subject matter to permit the record to be located among the records maintained by the Commission. The requester will be advised promptly if the record cannot be located on the basis of the description given and if further identifying information is necessary before the request can be processed. Verification of the requester's identity as set forth in § 200.303(c) will also be required before an amendment or correction is undertaken.

    (2) Basis for amendment or correction. A requester seeking an amendment or correction to a record must specify the substance of the amendment or correction and set forth facts and provide such materials that would support the contention that the record as maintained by the Commission is not accurate, timely, or complete or, where a request seeks deletion of information, that the record is not necessary and relevant to accomplish a statutory purpose of the Commission as authorized by law or by Executive Order of the President.

    (b) Acknowledgement of requests for amendment or correction. Receipt of a request for amendment or correction will be acknowledged in writing within 10 days (excluding Saturdays, Sundays, and Federal holidays) after such request has been received. When a request for amendment or correction is made in person, the requester will be given a written acknowledgement when the request is presented. The acknowledgement will describe the request received and indicate when it is anticipated that action will be taken on the request.

    Review of requests for amendment or correction.

    (a) Initial review. Requests for amendment or correction to records pertaining to that individual will be referred to the Commission's Office of FOIA Services for an initial determination.

    (b) Time for acting on requests. Initial review of a request for amendment or correction will be completed promptly and the Office of FOIA Services will endeavor to respond to a request within 30 days (excluding Saturdays, Sundays, and Federal holidays) from the date the request was received, unless circumstances preclude completion of review within that time. If the anticipated completion date indicated in the acknowledgement cannot be met, the requester will be advised in writing of the delay and the reasons for the delay, and also advised when action is expected to be completed.

    (c) Grant of requests for amendment or correction. If a request for amendment or correction is granted in whole or in part, the Office of FOIA Services will:

    (1) Advise the requester in writing of the extent to which it has been granted;

    (2) Amend or correct the record accordingly; and

    (3) Where an accounting of disclosures of the record has been kept pursuant to 5 U.S.C. 552a(c), advise all previous recipients of the record of the fact that the record has been amended or corrected and the substance of the amendment or correction.

    (d) Denial of requests for amendment or correction. If the request for amendment or correction is denied in whole or in part, the Office of FOIA Services will:

    (1) Promptly advise the requester in writing of the extent to which the request has been denied; Start Printed Page 10489

    (2) State the reasons for the denial of the request;

    (3) Describe the procedures to appeal the denial of the request for amendment or correction, including the name and address of the person to whom the appeal is to be addressed; and

    (4) Inform the requester that the Office of FOIA Services will provide information and assistance to the individual in perfecting an appeal of the initial decision.

    Requests for an accounting of record disclosures.

    (a) How made and addressed. Except where accountings of disclosures are not required to be kept or provided (as stated in paragraph (e) of this section), requesters may ask the Commission to provide an accounting of a disclosure of a record about the requester that the Commission has made to another person, organization, or agency. The request for an accounting should identify each particular record in question and must be made in writing. The request may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/​forms/​request_​public_​docs. A requester may alternatively submit a request for an accounting by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/​oso/​help/​foia-contact.html. Requests for accounting that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

    (b) Verification of identity. Verification of the requester's identity as set forth in section 202.303(c) will be required before an accounting is given.

    (c) Acknowledgement of requests for an accounting of record disclosures. The Office of FOIA Services will endeavor to acknowledge, in writing, receipt of a request for an accounting of record disclosures within 10 days of receipt of such a request (excluding Saturdays, Sundays, and Federal holidays). When a request for an accounting of record disclosures is made in person, the requester will be given a written acknowledgement when the request is presented. The acknowledgement will describe the request received and indicate when it is anticipated that action will be taken on the request.

    (d) Time for acting on requests. The Office of FOIA Services will endeavor to respond to a request for an accounting of record disclosures within 30 days (excluding Saturdays, Sundays, and Federal holidays) from the date the request was received, unless the requester is notified in writing within the 30-day period that, for good cause shown, a longer period of time is required. In such cases, the requester will be informed in writing of the reasons for the delay and an indication will be given as to when it is anticipated that an accounting may be granted or denied.

    (e) Grant of request of accounting. If it is determined that a request for an accounting will be granted, the requester will be advised in writing. When a request for access is granted, in full or in part, the information will be provided electronically, by mail, or in person at the requester's election.

    (f) Denial of a request for accounting. If it is determined that the request will not be granted, the requester will be notified of that fact in writing and given the reasons for the denial. The requester also will be advised of his or her right to seek review by the Office of the General Counsel of the initial decision in accordance with the procedures set forth in § 200.308.

    (g) Where accountings of record disclosures are not required. The Commission is not required to provide accountings of disclosures to requesters where they relate to:

    (1) Disclosures made to officers and employees within the Commission and disclosures made under the FOIA, 5 U.S.C. 552;

    (2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which disclosures are sought; or

    (3) Disclosures made from law enforcement systems of records that have been exempted from accounting requirements.

    Administrative appeals.

    (a) Administrative review. A requester who has been notified pursuant to §§ 200.304(c), 200.306(d), or 200.307(d) that his or her inquiry or request has been denied in whole or in part, or who has received no response to a request for access or to amend within 30 days (excluding Saturdays, Sundays, and Federal holidays) after his or her request was received by the Office of the FOIA Services, may appeal to the Office of the General Counsel the adverse determination.

    (1) Appeals must be received within 90 calendar days of the date of the written denial of an inquiry or request and must be received no later than 11:59 p.m., Eastern Time, on the 90th day.

    (2) The appeal should be in writing and should provide the assigned request number, a copy of the original request, and the adverse determination. The appeal should also explain why the requester contends any adverse determination was in error. The requester may state such facts and cite such legal or other authorities as the requester may consider appropriate in support of the appeal. If only a portion of the adverse determination is appealed, the requester should specify which part is being appealed.

    (3) The appeal may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/​forms/​request_​public_​docs. A requester may alternatively submit an appeal by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/​oso/​help/​foia-contact.html.

    (4) The Office of the General Counsel will endeavor to make a determination with respect to an appeal within 30 days after the receipt of such appeal (excluding Saturdays, Sundays, and Federal holidays) unless, for good cause shown, the Office of the General Counsel extends that period. If such an extension is made, the individual who is appealing will be advised in writing of the extension, the reasons therefor, and the anticipated date when the appeal will be decided.

    (5) If the Office of the General Counsel concludes that an inquiry or request for access, amendment or correction, or an accounting should be granted, it will issue a decision granting the inquiry or request and instructing the Office of FOIA Services to comply with §§ 200.304(b), 200.306(c), or 200.307(c), as applicable.

    (6) If the Office of the General Counsel affirms the initial decision denying an inquiry or request for access or an accounting, it will issue a decision denying the inquiry or request and advising the requester of:

    (i) The reasons for the denial; and

    (ii) The requester's right to obtain judicial review of the decision pursuant to 5 U.S.C. 552a(g)(1)(B) or (g)(1)(D), as applicable.

    (7) If the Office of the General Counsel determines that the decision of the Office of FOIA Services denying a request for amendment or correction should be upheld, it will issue a decision denying the request and the individual will be advised of: Start Printed Page 10490

    (i) The decision refusing to amend or correct the record and the reasons therefor;

    (ii) The requester's right to file a concise statement setting forth his or her disagreement with the decision not to amend or correct the record;

    (iii) The procedures for filing such a statement of disagreement;

    (iv) The fact that any such statement of disagreement will be made available to anyone to whom the record is disclosed, together with, if the Office of the General Counsel deems it appropriate, a brief statement setting forth the Office of the General Counsel's reasons for refusing to amend or correct;

    (v) The fact that prior recipients of the record in issue will be provided with the statement of disagreement and the Office of the General Counsel's statement, if any, to the extent that an accounting of such disclosures has been maintained pursuant to 5 U.S.C. 552a(c); and

    (vi) The requester's right to seek judicial review of the Office of the General Counsel's refusal to amend or correct, pursuant to 5 U.S.C. 552a(g)(1)(A).

    (8) In appropriate cases the Office of the General Counsel may, in its sole discretion, refer matters requiring administrative review of initial decisions to the Commission for determination and the issuance, where indicated, of decisions.

    (b) Statements of disagreement. As noted in paragraph (a)(6)(ii) of this section, a requester may file a statement setting forth his or her disagreement with the Office of the General Counsel's denial of the request for amendment or correction.

    (1) Such statement of disagreement may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/​forms/​request_​public_​docs. A requester who is not able to submit a statement of disagreement by email or online may submit a request by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/​oso/​help/​foia-contact.html. A requester must submit a statement of disagreement within 30 days after receipt of the Office of the General Counsel's decision denying the request for amendment or correction. For good cause shown this period can be extended for a reasonable time.

    (2) Statements of disagreement should be concise and must clearly identify each part of any record that is disputed and state the basis for the requester's disagreement. The Office of the General Counsel will return unduly lengthy or irrelevant materials to the individual for appropriate revisions before they become a permanent part of the requester's record. Statements of disagreement will be placed in the system of records in which the disputed record is maintained. The disputed record will be marked to indicate that a statement of disagreement has been filed and where in the system of records it may be found.

    (3) If a requester has filed a statement of disagreement, the Office of FOIA Services will append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request for amendment or correction.

    (4) In appropriate cases, the Office of the General Counsel may, in its sole discretion, refer matters concerning statements of disagreement to the Commission for disposition.

    Fees.

    (a) The only fee to be charged to a requester under this part is for the duplication of records to be disclosed to the requester. No fee will be charged or collected for: search, retrieval, or review of records; or duplication at the initiative of the Commission without a request from the requester. Fees for duplication will be charged at rates set forth on the FOIA web page of the Commission's website at www.sec.gov. Fees for duplication include any costs incurred in making records available on electronic storage devices.

    (b) With regard to requests for amendment or correction, the Commission will provide the requester one copy of each record corrected or amended pursuant to his or her request without charge as evidence of the correction or amendment.

    (c) Whenever the Office of FOIA Services determines that good cause exists to grant a request for reduction or waiver of fees for duplication costs, it may reduce or waive any such fees.

    Specific exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the following systems of records maintained by the Commission are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), and (f), and §§ 200.303, 200.305, and 200.307, insofar as they contain investigatory materials compiled for law enforcement purposes:

    (1) Enforcement Files;

    (2) Office of the General Counsel Working Files;

    (3) Office of the Chief Accountant Working Files;

    (4) Correspondence Response System;

    (5) Tips, Complaints, and Referrals (TCR) Records; and

    (6) SEC Security in the Workplace Incident Records.

    (b) Pursuant to 5 U.S.C. 552a(k)(5), the systems of records containing the Commission's Disciplinary and Adverse Actions, Employee Conduct, and Labor Relations Files are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f), and §§ 200.303 through 200.309, insofar as they contain investigatory material compiled to determine an individual's suitability, eligibility, and qualifications for Federal civilian employment or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence.

    Inspector General exemptions.

    (a) Pursuant to, and limited by 5 U.S.C. 552a(j)(2), the system of records maintained by the Office of Inspector General of the Commission that contains investigative files is exempt from the provisions of 5 U.S.C. 552a, except sections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6), (e)(7), (e)(9), (e)(10), and (e)(11), and (i), and §§ 200.303 through 200.309, insofar as the system contains information pertaining to criminal law enforcement investigations.

    (b) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of records maintained by the Office of Inspector General of the Commission that contains investigative files is exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) and §§ 200.303 through 200.309, insofar as it contains investigatory materials compiled for law enforcement purposes.

    [Reserved]
    Start Signature

    By the Commission.

    Dated: February 14, 2023.

    Vanessa A. Countryman,

    Secretary.

    End Signature End Supplemental Information

    Footnotes

    1.  The terms “inquiry” and “request” are defined in 5 U.S.C. 552a.

    Back to Citation

    2.  These amendments are discussed in greater detail in Section IV. Economic Analysis.

    Back to Citation

    3.  The Office of FOIA Services currently accepts electronic submission of verification of identity in all of these formats.

    Back to Citation

    6.  One of the systems of records identified in the existing rule is obsolete. Another system of records had its name changed, and a new system of records was added.

    Back to Citation

    8.  Public Law 104-121, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C., 15 U.S.C., and as a note to 5 U.S.C. 601).

    Back to Citation

    [FR Doc. 2023-03467 Filed 2-17-23; 8:45 am]

    BILLING CODE 8011-01-P

Document Information

Published:
02/21/2023
Department:
Securities and Exchange Commission
Entry Type:
Proposed Rule
Action:
Proposed rule.
Document Number:
2023-03467
Dates:
Comments should be received by April 17, 2023.
Pages:
10483-10490 (8 pages)
Docket Numbers:
Release No. 34-96906, PA-59, File No. S7-03-23
RINs:
3235-AN21: Privacy Act Amendments
RIN Links:
https://www.federalregister.gov/regulations/3235-AN21/privacy-act-amendments
Topics:
Administrative practice and procedure, Privacy
PDF File:
2023-03467.pdf
CFR: (12)
17 CFR 200.301
17 CFR 200.302
17 CFR 200.303
17 CFR 200.304
17 CFR 200.305
More ...