2023-20690. The Commission's Privacy Act Regulations

AGENCY:

Securities and Exchange Commission.

ACTION:

Final rule.

SUMMARY:

The Securities and Exchange Commission (“Commission” or “SEC”) is adopting amendments to the Commission's regulations under the Privacy Act of 1974, as amended (“Privacy Act”). The amendments revise the Commission's regulations under the Privacy Act to clarify, update, and streamline the language of several procedural provisions.

DATES:

Effective: October 26, 2023.

FOR FURTHER INFORMATION CONTACT:

Ray McInerney, FOIA/PA Officer, Office of FOIA Services, (202) 551–6249; Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–5041.

SUPPLEMENTARY INFORMATION:

I. Introduction

On February 14, 2023, the Commission proposed amendments to its existing regulations under the Privacy Act, 5 U.S.C. 552a,^[1] to reflect changes to clarify, update, and streamline the language of several procedural provisions. The Commission received sixteen comments on the proposed amendments, eleven of which were unrelated to the proposed rule. After consideration of the comments received, the Commission is adopting the amendments to its Privacy Act regulations as proposed. This final rule replaces the Commission's existing Privacy Act regulations in their entirety (17 CFR 200.301 through 200.313).

II. Amendments

A. Amendments To Update, Clarify, and Streamline the Privacy Act Regulations

The Commission is adopting amendments to certain procedural provisions to clarify, update, and streamline the Commission's Privacy Act regulations.^[2] The final rule, among other things: clarifies the purpose and scope of the regulations (Section 200.301); updates definitions so that the processes set forth in the regulations are more plainly described (17 CFR 200.302); simplifies the processes for submitting and receiving responses to Privacy Act inquiries, requests, and administrative appeals (17 CFR 200.303, 305, 306, 307, and 308); allows for requesters to electronically verify their identities, including by facsimile, email, or an online Commission form (17 CFR 200.303); provides for a shorter Commission response time to Privacy Act inquiries as to whether a specific system of records maintained by the Commission contains a record pertaining to the requester, which aligns with other relevant time lines (17 CFR 200.304); updates agency contact information ( e.g., office names, facsimile numbers, email addresses, and physical addresses) (17 CFR 200.303, 305, 308, and 309); and updates the list of Commission systems of records that have promulgated rules exempting certain records from certain provisions of the Privacy Act (17 CFR 200.310).

B. Revisions to Fee Provisions

The final rule updates the fee provisions to reflect existing practice with respect to charging fees for duplicating documents. Duplication rates are available on the Office of FOIA Services' fee page on the Commission's website. The duplication fees currently posted on the website reflect the direct costs to the Commission of producing a copy, whether in paper or electronic format, taking into account various factors including the salary of the employee(s) performing the work and the cost of materials. The Office of FOIA Services does not charge for providing existing electronic records because such a production does not require duplication processes, such as scanning or commercial copying of hard copies that impose direct costs on the Commission. The duplication fee posted on the Commission's website is adjusted as appropriate to reflect current costs.

The final rule also codifies the existing practice of charging requesters the direct costs associated with making records available on electronic storage devices, as presently reflected on the Commission's FOIA fee website. Further, the final rule allows for providing requesters with one free copy of each record amended or corrected pursuant to a request for amendment or correction.

C. Elimination of Certain Provisions

The amendments eliminate certain provisions from the existing regulations, as well as two Sections in their entirety. The deleted provisions either restate language in the Privacy Act, and thus do not require elaboration in the Commission's regulations; have been incorporated into other provisions within the final rule; or are otherwise unnecessary. The amendments remove the following provisions of the existing rule:

Title 17, section 200.305: This provision, which provides special procedures for requests for medical records, is unnecessary as the medical records the Commission typically maintains, whether about Commission staff or other individuals, are generally available to those individuals through other means, and the Commission has never used special procedures for medical records in connection with Privacy Act requests.

Title 17, section 200.307(b): This provision restates the standards applied in reviewing requests for amendment or correction of records. These standards are set forth in the Privacy Act. Therefore, it is unnecessary to restate them in the Commission's regulations.

Title 17, section 200.309(a): This provision describes the standards for extending time to respond to requests. This section uses language from the Freedom of Information Act (5 U.S.C. 552(a)(6)(B)(iii)) rather than the Privacy Act. Title 17, sections 200.304(d)(1), 304(d)(2)(ii), 307(b), and 309(a)(3) of the final rule contain information about extensions of time based on the requirements of the Privacy Act.

Title 17, sections 200.309(b), (c), (d), and (e): These provisions are unnecessary as they are not contemplated by the statute, are covered elsewhere in the final rule, or are obsolete due to changes in technology affecting how Privacy Act requests are processed.

Title 17, section 200.311: This provision restates the statutory penalties set forth in the Privacy Act (5 U.S.C. 552a(i)). Accordingly, recitation within Commission regulations is unnecessary.

D. Addition of Provisions

The final amendments add a provision for processing requests by individuals for an accounting of certain record disclosures about the requester, to include the date, nature, and purpose of each disclosure, that the Commission has made available to another person, organization, or agency (17 CFR 200.307 of the final rule). While the statute allows for individuals to request such an accounting (5 U.S.C. 552a(c)(3)), the Commission's existing rule has no such provision. The final rule also includes a provision that formally implements a 90-day time period for requesters to file administrative appeals (17 CFR 200.308 of the final rule). The 90-day period is appropriate because Privacy Act requests for access to records are concurrently processed as Freedom of Information Act (“FOIA”) requests and the FOIA sets forth a 90-day deadline to file an administrative appeal. Because of the overlap with FOIA, Privacy Act requesters are currently informed they have 90 days to file an administrative appeal in response to an adverse decision. The final rule codifies this current procedure.

E. Public Comments

The Commission received 16 comments in response to the proposed rulemaking. Eleven of the comments concerned subjects that were unrelated to the proposed rule and the Privacy Act in general.^[3] Four comments approved of the proposed rule in its entirety.^[4]

One commenter supported several provisions in the proposed rule, but expressed concern regarding revisions to the fee provisions.^[5] Specifically, the commenter indicated that charging requesters the direct costs associated with making records available on electronic storage devices might “potentially discourage individuals from exercising their rights under the Privacy Act, particularly those who may not have the financial means to pay for the direct costs associated with obtaining records.” ^[6] The overwhelming majority of records that are responsive to Privacy Act requests are provided in electronic format. The Office of FOIA Services does not charge for providing existing electronic records unless the volume of electronic records is such that production requires an electronic storage device. Although the Office of FOIA Services requires fees for production of records on an electronic storage device, no such fees were charged from 2015 through 2022. Typically, production of voluminous electronic records can be accomplished with secure file sharing platforms. Electronic storage devices would only be used at the election of the requester, and we expect such a request would be made only if the cost would not be a significant impediment. The Commission collected no fees for processing Privacy Act requests during fiscal years 2015 through 2022, whether electronic or otherwise. The Commission is not making any changes in response to this comment because it anticipates that it will generally be able to produce even voluminous electronic records with file sharing platforms.

The same commenter also expressed concern that that the deletion of certain provisions within the existing regulations would eliminate protections to individuals' privacy rights.^[7] As an example, the commenter stated that the deletion of 17 CFR 200.305 might make it more difficult for individuals to access their records.^[8] Under the existing rule at 17 CFR 200.305, the Commission may require the requester to submit a signed statement by a physician or a mental health professional or the Commission may initially disclose the records to a physician or a mental health professional for their review. Obtaining a statement from a physician or mental health professional and/or Start Printed Page 65809 having a physician or mental health professional review an individual's records prior to disclosure would result in additional processing time. Deletion of existing 17 CFR 200.305 will make it easier for a requester to obtain their records. Therefore, the Commission is not making any changes from its proposal in response to this comment.

III. Other Matters

If any of the provisions of these rules, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application.

Pursuant to the Congressional Review Act, the Office of Information and Regulatory Affairs has designated these rules as not a “major rule,” as defined by 5 U.S.C. 804(2).

IV. Economic Analysis

The Commission is sensitive to the economic effects, including the costs and benefits that result from its rules. Section 23(a)(2) of the Securities Exchange Act of 1934 (“Exchange Act”) requires the Commission, in making rules pursuant to any provision of the Exchange Act, to consider among other matters the impact any such rule would have on competition and prohibits any rule that would impose a burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act.^[9] Further, Section 3(f) of the Exchange Act requires the Commission, when engaging in rulemaking where it is required to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation.^[10]

As explained in the Proposing Release and discussed further below, the Commission believes that the economic effects of the final rule will be limited. The Commission notes that, where possible, it has attempted to quantify the costs, benefits, and effects on efficiency, competition, and capital formation expected to result from the final amendments. In some cases, however, the Commission is unable to quantify the economic effects because it lacks the information necessary to provide a reasonable estimate. Additionally, some of the potential benefits of the amendments are inherently difficult to quantify.

The final amendments fall into four categories: (1) revisions to procedural provisions; (2) revisions to certain fee provisions; (3) the elimination of certain unnecessary provisions; and (4) the addition of a new provision for requesting an accounting of record disclosures. We discuss each of these in turn below.

First, we are amending certain procedural provisions. Most of these changes codify existing practice, including: (1) adding methods for submitting Privacy Act inquiries, requests, and administrative appeals; (2) clarifying the procedures for submitting requests for information or records about oneself; (3) clarifying certain procedures for verification of identity, including options available for in-person or not in-person verification and necessary documentation; (4) clarifying procedures for submitting an administrative appeal; (5) codifying the existing practice of providing requesters 90 days to file an administrative appeal; and (6) correctly identifying the Commission systems of records that are exempt under the Privacy Act.^[11] We believe that adoption of the final rule will have minimal impact on Privacy Act requesters because it largely codifies existing practices. Adoption of the final rule could benefit the public and improve efficiency by decreasing the time in which the Commission responds to inquiries, requests, and appeals.

Furthermore, these amendments may reduce potential confusion among Privacy Act requesters with regard to certain existing procedures, which could further benefit the public. In particular, because Privacy Act requests for access to records are also processed as FOIA requests and the FOIA sets forth a 90-day deadline to file an administrative appeal, Privacy Act requesters are currently informed they have 90 days to file an administrative appeal in response to an adverse decision. We believe that codifying this existing practice would benefit requesters by removing any uncertainty as to when appeals must be filed. In addition, with respect to the provisions on verification of identity, the amendments also explicitly provide for an alternative electronic identification option through processes made available on the Commission's website. By clarifying and supplementing the available options for verification, these amendments may allow requesters to more efficiently choose a verification process that is most appropriate for them. We do not expect the amendments to the procedural provisions to result in additional costs to any member of the public.

Second, we are revising the provision concerning fees charged for duplication. This includes: (1) determining duplication fees based on the direct cost to the Commission as set forth on the FOIA fee page on the Commission's website; (2) codifying the existing practice of charging requesters the direct costs associated with making records available on electronic storage devices; and (3) clarifying that requesters will receive one free copy of each record corrected or amended pursuant to a request for amendment.

The amendments to the fee procedures would benefit Privacy Act requesters by removing potential confusion about the cost of obtaining records and the cost of making records available on electronic storage devices. We do not anticipate that any of the changes to the fee procedures would impose significant new costs on Privacy Act requesters or have any other economic impact.

Prior to July 2018, duplication costs for FOIA and Privacy Act requesters were 24 cents per page as set by contract with a commercial copier. Since that time, duplication costs have been set at 15 cents per page, which reflects the direct cost to the Commission. Duplication fees may change in the future, to the extent that the Commission's direct costs for duplicating materials increase or decrease.

The table below shows the number of Privacy Act requests processed by the Commission during fiscal years 2015 through 2022 and that, during those years, the Commission collected no fees for processing requests received under the Privacy Act.

Fiscal year	Requests processed	Fees collected for processing requests
2015	134	$0.00
2016	155	0.00
2017	95	0.00
2018	283	0.00
2019	162	0.00
2020	159	0.00
2021	255	0.00
2022	261	0.00

From fiscal years 2015 through 2022 requesters were not charged fees because either no records were provided or the requester was provided with Start Printed Page 65810 existing electronic records, for which a fee is not charged. There were no requests processed that required production of hard copy records, the scanning of hard copies, or production in another media, such as an electronic storage device, and, consequently, no requests that would have imposed direct costs on the Commission.

Given the lack of chargeable duplication fees in recent years, the Commission anticipates that the changes to duplication fees (including fees for producing materials in electronic format) would not result in significant additional costs for requesters. Further, these amendments largely codify existing practices regarding fees for duplication and production on other types of media and, like the existing regulations, do not charge fees for searching or retrieving records. As noted, one commenter indicated that charging requesters the direct costs associated with making records available on electronic storage devices might “potentially discourage individuals from exercising their rights under the Privacy Act, particularly those who may not have the financial means to pay for the direct costs associated with obtaining records.” ^[12] However, as discussed, this amendment codifies existing practice. Moreover, from 2015 to 2022, no such fees were charged. Accordingly, we do not expect significant changes in incentives for requesters to make a request under the Privacy Act.

The final rule clarifies that requesters will receive one free copy of each record corrected or amended pursuant to a request for amendment. This revision codifies an existing practice and would therefore not impose any additional burden on requesters.

Third, the Commission is eliminating certain provisions in its Privacy Act regulations. The Commission does not anticipate that the removal of 17 CFR 200.305 will have any meaningful economic effects. The existing provision provides special procedures for requests for medical records, but the medical records the Commission typically maintains, whether about Commission staff or other individuals, are generally available to those individuals through other means, and the Commission has never used special procedures for medical records in connection with Privacy Act requests. One commenter indicated that the deletion of this provision might make it more difficult for requestors to obtain medical records; ^[13] however, as noted above, requestors would still be able to access these records directly, which would involve less time than using the process outlined in existing 17 CFR 200.305. The Commission does not expect the elimination of 17 CFR 200.307(b) and 200.311 to result in any economic effects because they restate language in the Privacy Act.

There would also be minimal economic effects from the elimination of 17 CFR 200.309(a), which describes the standards for extending time to respond to requests, because other provisions in the final rule (17 CFR 200.304(d), 200.306(b), and 200.307(d)) address the procedures and reasons for extending the time to respond to inquiries and requests. Similarly, the Commission does not expect the elimination of 17 CFR 200.309(c) and 200.309(d) to result in meaningful economic effects. These provisions require giving notice to a requester when delay will result from the fact that the subject records are in use by a member of the Commission or its staff and when records are lost. The final rule would require the Office of FOIA Services to notify requesters of reasons for delay and of the fact that a record does not exist, so the specific information in 17 CFR 200.309(c) and 200.309(d) is duplicative.

The elimination of 17 CFR 200.309(b) would remove the concept of an “effective date of action” as it relates to mailing acknowledgements or responses by the Commission. This amendment could increase the Commission's flexibility in acknowledging or responding to requests while also potentially increasing uncertainty for requesters, but these effects would only be realized to the extent that requesters and the Commission rely on mail to make and respond to requests, and the Commission expects that use of mail will be infrequent going forward because most communications with requesters occur by email.

The elimination of 17 CFR 200.309(e)(1), which prohibits oral requests, would have no substantive effect, because the existing regulations, like the final rule, elsewhere require Privacy Act requests to be made in writing. The elimination of 17 CFR 200.309(e)(2), which states that a misdirected request will be deemed received only once it is received by a Privacy Act Officer and that an appeal will not be considered unless the request was in fact received by a Privacy Act Officer, removes an unnecessary provision because the final rule at 17 CFR 200.303(a) and 200.305(a) has the same effect by requiring that requesters use the methods described in the final rule to submit a Privacy Act inquiry or request.

Finally, the Commission is adding a provision outlining the procedure for making requests for an accounting of record disclosures. The existing rules do not provide for such a procedure, although the Commission is obligated, by statute, to provide such information upon request.^[14] This provision would reduce the potential confusion among Privacy Act requesters about the exact procedure that they would have to follow with regard to this type of request, and therefore this provision would generally benefit the public. Furthermore, by providing clarity about the procedure that would have to be followed when requesting an accounting of record disclosures, the provision would likely reduce the cost to the public of submitting this type of request.

The Commission requested comments on all aspects of the benefits and costs of the proposal. After evaluating all comments, the Commission continues to believe that the amendments to the Commission's Privacy Act regulations will not have any significant impact on competition or capital formation and may result in a slight improvement in operational efficiency.

V. Regulatory Flexibility Act Certification

Pursuant to Section 605(b) of the Regulatory Flexibility Act of 1980,^[15] the Commission certified that, when adopted, the amendments to 17 CFR 200.301 through 200.313 would not have a significant economic impact on a substantial number of small entities. This certification, including our basis for the certification, was included in the proposing release. The Commission solicited comments on the appropriateness of its certification, but received none. The Commission is adopting the final rules in the form published in the Proposing Release.

VI. Paperwork Reduction Act

The Commission stated in the Proposing Release that the proposed amendments to the Privacy Act regulations do not contain any collection of information as defined by the Paperwork Reduction Act of 1995 (“PRA”).^[16] The Commission also determined that the proposed amendments would not create any new filing, reporting, recordkeeping, or disclosure reporting requirements. Accordingly, the Commission did not submit the proposed amendments to the Start Printed Page 65811 Office of Management and Budget for review under the PRA.^[17] The Commission solicited comments on whether its conclusion that there are no new collections of information is correct, and it did not receive any comments.

Statutory Authority

The amendments contained herein are being adopted under the authority set forth in 5 U.S.C. 552a(f), 552a(j), 552a(k); and 15 U.S.C. 78d–1 and 78w(a).

List of Subjects in 17 CFR Part 200

Administrative practice and procedure; Privacy Act

Text of Amendments

For the reasons stated in the preamble, the Commission is amending title 17, chapter II of the Code of Federal Regulations as follows:

PART 200—ORGANIZATION; CONDUCT AND ETHICS; AND INFORMATION AND REQUESTS

1. The authority citation for part 200 continues to read as follows:

Authority: 5 U.S.C. 552, 552a, 552b, and 557; 11 U.S.C. 901 and 1109(a); 15 U.S.C. 77c, 77e, 77f, 77g, 77h, 77j, 77 o, 77q, 77s, 77u, 77z–3, 77ggg(a), 77hhh, 77sss, 77uuu, 78b, 78c(b), 78d, 78d–1, 78d–2, 78e, 78f, 78g, 78h, 78i, 78k, 78k–1, 78 l, 78m, 78n, 78 o, 78 o –4, 78q, 78q–1, 78w, 78t–1, 78u, 78w, 78 ll (d), 78mm, 78eee, 80a–8, 80a–20, 80a–24, 80a–29, 80a–37, 80a–41, 80a–44(a), 80a–44(b), 80b–3, 80b–4, 80b–5, 80b–9, 80b–10(a), 80b–11, 7202, and 7211 et seq.;29 U.S.C. 794; 44 U.S.C. 3506 and 3507; Reorganization Plan No. 10 of 1950 (15 U.S.C. 78d nt); sec. 8G, Pub. L. 95–452, 92 Stat. 1101 (5 U.S.C. App.); sec. 913, Pub. L. 111–203, 124 Stat. 1376, 1827; sec. 3(a), Pub. L. 114–185, 130 Stat. 538; E.O. 11222, 30 FR 6469, 3 CFR, 1964–1965 Comp., p. 36; E.O. 12356, 47 FR 14874, 3 CFR, 1982 Comp., p. 166; E.O. 12600, 52 FR 23781, 3 CFR, 1987 Comp., p. 235; Information Security Oversight Office Directive No. 1, 47 FR 27836; and 5 CFR 735.104 and 5 CFR parts 2634 and 2635, unless otherwise noted.

2. Subpart H is revised to read as follows:

200.301: Purpose and scope.
200.302: Definitions.
200.303: Procedures for making inquiries and requests for access.
200.304: Responses to inquiries and requests for access.
200.305: Requests for amendment or correction of records.
200.306: Review of requests for amendment or correction.
200.307: Requests for an accounting of record disclosures.
200.308: Administrative appeals.
200.309: Fees.
200.310: Specific exemptions.
200.311: Inspector General exemptions.
200.312: [Reserved]

Subpart H—Regulations Pertaining to the Privacy of Individuals and Systems of Records Maintained by the Commission

§ 200.301

Purpose and scope.

(a) This subpart contains the rules of the Securities and Exchange Commission implementing the Privacy Act of 1974, as amended (Pub. L. 93–579, 5 U.S.C. 552a). These rules are applicable to all records in systems of records maintained by the Commission. They set forth the procedures by which individuals may make an inquiry regarding or request access to records about themselves, request an amendment or correction of those records, and request an accounting of disclosures of those records by the Commission.

(b) This subpart also lists the Commission systems of records that are exempt from some of the provisions of the Privacy Act of 1974. These exemptions are authorized under the Privacy Act, 5 U.S.C. 552a(j) and (k).

§ 200.302

Definitions.

In addition to the definitions contained in 5 U.S.C. 552a(a), the following definitions apply in this subpart:

Commission means the Securities and Exchange Commission.

Inquiry means a request described in Privacy Act section (f)(1).

Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 552a).

Request for access to a record means a request made under Privacy Act section (d)(1).

Request for amendment or correction of a record means a request made under Privacy Act section (d)(2).

Request for an accounting means a request made under Privacy Act section (c)(3).

Requester means an individual who makes an inquiry, a request for access, a request for amendment or correction, or a request for an accounting.

§ 200.303

Procedures for making inquiries and requests for access.

Requesters seeking to know if a specific system of records maintained by the Commission contains a record pertaining to them may submit an inquiry to the Commission. Requesters may also request access to records pertaining to them in a system of records maintained by the Commission.

(a) How to make an inquiry or request for access. An inquiry or request for access must be in writing and may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit an inquiry or request for access by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Inquiries and requests for access that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

(b) Information to be included in an inquiry or request for access. Each inquiry or request for access must include information that will assist the Commission in identifying those records the requester is seeking information about or access to. The following information, as relevant, should be submitted with the request: name of the individual whose record is sought; identifying data that will help locate the record ( e.g., maiden name and period or place of employment); and the requester's name, address, telephone number, and email address. Where practicable, the requester should identify the system of records that is the subject of the inquiry or request for access by reference to the Commission's systems of records notices, which are published in the Federal Register . The Commission's systems of records notices can also be found on the Commission's website at https://www.sec.gov/oit/system-records-notices. If additional information is required before a request can be processed, the requester will be so advised.

(c) Verification of identity. A requester making an inquiry or requesting access to a record must verify his or her identity before information is given or access is granted unless the information is required to be disclosed under the Freedom of Information Act (FOIA), 5 U.S.C. 552.

(1) In-person verification. A requester may appear at any of the Commission offices, which are listed on the Commission's website at https://www.sec.gov/divisions.shtml, and furnish documentation to establish his or her identity. Such documentation might include a valid driver's license, passport, birth certificate, employee or Start Printed Page 65812 military identification card, or Medicare card. Sufficiency of the documentation in verifying identity will be determined by the Commission staff member reviewing such documentation.

(2) Not in-person verification. A requester who does not appear in person must verify his or her identity using one of the following methods:

(i) A requester may use electronic identity proofing and authentication processes as made available through the Commission's website; or

(ii) A requester may submit a copy of documentation to establish the requester's identity (examples of such documentation are noted in paragraph (c)(1) of this section).

(3) Submission of signed statement. For all verification methods, a requester must also submit a statement attesting to the requester's identity and a statement that the requester understands that a knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine. Sample statements and the requirements for completing them are available through the Commission's website.

(4) Additional procedures for verifying identity. When it appears appropriate, the Commission's Office of FOIA Services may make such other arrangements for the verification of identity as are reasonable under the circumstances and appear to be effective to prevent unauthorized disclosure of, or access to, individual records.

§ 200.304

Responses to inquiries and requests for access.

(a) Initial review. Inquiries and requests for access will be referred to the Commission's Office of FOIA Services which will make the initial determination as to whether the inquiry or request for access will be granted.

(b) Grant of inquiry or request for access. If it is determined that an inquiry or request for access will be granted, the requester will be advised in writing. When a request for access is granted, in full or in part, a requester may elect to receive a copy of the requested record electronically, by mail, or in person, and the Office of FOIA Services will comply with that election to the extent practicable.

(c) Denial of an inquiry or request for access. If it is determined that no response will be given to an inquiry or that a request for access will not be granted, the requester will be notified of that fact in writing and given the reasons for the denial. The requester also will be advised of his or her right to seek review by the Office of the General Counsel of the initial decision in accordance with the procedures set forth in § 200.308.

(d) Time for acting on inquiries and requests for access —(1) Responses to inquiries. The Office of FOIA Services will endeavor to inform a requester making an inquiry as to whether the named system of records contains a record pertaining to him or her within 10 days (excluding Saturdays, Sundays, and Federal holidays) of receipt of such a request. Whenever a response to an inquiry cannot be made within the 10 days, the Office of FOIA Services will inform the requester of the reasons for the delay and the date by which a response may be anticipated.

(2) Acknowledgement of and responses to requests for access. (i) Except where the requester appears in person, the Office of FOIA Services will endeavor to acknowledge, in writing, receipt of a request for access within 10 days (excluding Saturdays, Sundays, and Federal holidays) of receipt of such a request.

(ii) The Office of FOIA Services will endeavor to respond to a request for access to a record pertaining to a requester within 30 days (excluding Saturdays, Sundays, and Federal holidays) after the receipt of the request. If, for good cause shown, a longer period of time is required, the Office of FOIA Services will inform the requester in writing of the reasons for the delay, and indicate when access is expected to be granted or denied.

(3) Appearance in person. When a requester appears in person at the Commission to make a request for access and the requester provides the required information and verification of identity, the Office of FOIA Services' staff, if practicable, will indicate whether it is likely that the requester will be given access to the records and, if so, when and under what circumstances such access will be given.

(e) Exclusion for certain records. Nothing contained in these rules allows a requester to obtain access to any records or information compiled in reasonable anticipation of a civil action or proceeding.

§ 200.305

Requests for amendment or correction of records.

(a) How to a make request for amendment or correction. A written request for amendment or correction of records may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit a request for amendment or correction by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Requests that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

(1) Information to be included in requests for amendment or correction. Each request for amendment or correction must reasonably describe the record sought to be amended or corrected. Such description should include, for example, relevant names, dates, and subject matter to permit the record to be located among the records maintained by the Commission. The requester will be advised promptly if the record cannot be located on the basis of the description given and if further identifying information is necessary before the request can be processed. Verification of the requester's identity as set forth in § 200.303(c) will also be required before an amendment or correction is undertaken.

(2) Basis for amendment or correction. A requester seeking an amendment or correction to a record must specify the substance of the amendment or correction and set forth facts and provide such materials that would support the contention that the record as maintained by the Commission is not accurate, timely, or complete or, where a request seeks deletion of information, that the record is not necessary and relevant to accomplish a statutory purpose of the Commission as authorized by law or by Executive Order of the President.

(b) Acknowledgement of requests for amendment or correction. Receipt of a request for amendment or correction will be acknowledged in writing within 10 days (excluding Saturdays, Sundays, and Federal holidays) after such request has been received. When a request for amendment or correction is made in person, the requester will be given a written acknowledgement when the request is presented. The acknowledgement will describe the request received and indicate when it is anticipated that action will be taken on the request.

§ 200.306

Review of requests for amendment or correction.

(a) Initial review. Requests for amendment or correction to records pertaining to that individual will be referred to the Commission's Office of FOIA Services for an initial determination. Start Printed Page 65813

(b) Time for acting on requests. Initial review of a request for amendment or correction will be completed promptly and the Office of FOIA Services will endeavor to respond to a request within 30 days (excluding Saturdays, Sundays, and Federal holidays) from the date the request was received, unless circumstances preclude completion of review within that time. If the anticipated completion date indicated in the acknowledgement cannot be met, the requester will be advised in writing of the delay and the reasons for the delay, and also advised when action is expected to be completed.

(c) Grant of requests for amendment or correction. If a request for amendment or correction is granted in whole or in part, the Office of FOIA Services will:

(1) Advise the requester in writing of the extent to which it has been granted;

(2) Amend or correct the record accordingly; and

(3) Where an accounting of disclosures of the record has been kept pursuant to 5 U.S.C. 552a(c), advise all previous recipients of the record of the fact that the record has been amended or corrected and the substance of the amendment or correction.

(d) Denial of requests for amendment or correction. If the request for amendment or correction is denied in whole or in part, the Office of FOIA Services will:

(1) Promptly advise the requester in writing of the extent to which the request has been denied;

(2) State the reasons for the denial of the request;

(3) Describe the procedures to appeal the denial of the request for amendment or correction, including the name and address of the person to whom the appeal is to be addressed; and

(4) Inform the requester that the Office of FOIA Services will provide information and assistance to the individual in perfecting an appeal of the initial decision.

§ 200.307

Requests for an accounting of record disclosures.

(a) How made and addressed. Except where accountings of disclosures are not required to be kept or provided (as stated in paragraph (e) of this section), requesters may ask the Commission to provide an accounting of a disclosure of a record about the requester that the Commission has made to another person, organization, or agency. The request for an accounting should identify each particular record in question and must be made in writing. The request may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit a request for an accounting by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. Requests for accounting that are submitted by mail should include the words “PRIVACY ACT REQUEST” in capital letters at the top of the letter and on the face of the envelope.

(b) Verification of identity. Verification of the requester's identity as set forth in section 202.303(c) will be required before an accounting is given.

(c) Acknowledgement of requests for an accounting of record disclosures. The Office of FOIA Services will endeavor to acknowledge, in writing, receipt of a request for an accounting of record disclosures within 10 days of receipt of such a request (excluding Saturdays, Sundays, and Federal holidays). When a request for an accounting of record disclosures is made in person, the requester will be given a written acknowledgement when the request is presented. The acknowledgement will describe the request received and indicate when it is anticipated that action will be taken on the request.

(d) Time for acting on requests. The Office of FOIA Services will endeavor to respond to a request for an accounting of record disclosures within 30 days (excluding Saturdays, Sundays, and Federal holidays) from the date the request was received, unless the requester is notified in writing within the 30-day period that, for good cause shown, a longer period of time is required. In such cases, the requester will be informed in writing of the reasons for the delay and an indication will be given as to when it is anticipated that an accounting may be granted or denied.

(e) Grant of request of accounting. If it is determined that a request for an accounting will be granted, the requester will be advised in writing. When a request for access is granted, in full or in part, the information will be provided electronically, by mail, or in person at the requester's election.

(f) Denial of a request for accounting. If it is determined that the request will not be granted, the requester will be notified of that fact in writing and given the reasons for the denial. The requester also will be advised of his or her right to seek review by the Office of the General Counsel of the initial decision in accordance with the procedures set forth in § 200.308.

(g) Where accountings of record disclosures are not required. The Commission is not required to provide accountings of disclosures to requesters where they relate to:

(1) Disclosures made to officers and employees within the Commission and disclosures made under the FOIA, 5 U.S.C. 552;

(2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which disclosures are sought; or

(3) Disclosures made from law enforcement systems of records that have been exempted from accounting requirements.

§ 200.308

Administrative appeals.

(a) Administrative review. A requester who has been notified pursuant to § 200.304(c), § 200.306(d), or § 200.307(d) that his or her inquiry or request has been denied in whole or in part, or who has received no response to a request for access or to amend within 30 days (excluding Saturdays, Sundays, and Federal holidays) after his or her request was received by the Office of the FOIA Services, may appeal to the Office of the General Counsel the adverse determination.

(1) Appeals must be received within 90 calendar days of the date of the written denial of an inquiry or request and must be received no later than 11:59 p.m., eastern time, on the 90th day.

(2) The appeal should be in writing and should provide the assigned request number, a copy of the original request, and the adverse determination. The appeal should also explain why the requester contends any adverse determination was in error. The requester may state such facts and cite such legal or other authorities as the requester may consider appropriate in support of the appeal. If only a portion of the adverse determination is appealed, the requester should specify which part is being appealed.

(3) The appeal may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester may alternatively submit an appeal by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html.Start Printed Page 65814

(4) The Office of the General Counsel will endeavor to make a determination with respect to an appeal within 30 days after the receipt of such appeal (excluding Saturdays, Sundays, and Federal holidays) unless, for good cause shown, the Office of the General Counsel extends that period. If such an extension is made, the individual who is appealing will be advised in writing of the extension, the reasons therefor, and the anticipated date when the appeal will be decided.

(5) If the Office of the General Counsel concludes that an inquiry or request for access, amendment or correction, or an accounting should be granted, it will issue a decision granting the inquiry or request and instructing the Office of FOIA Services to comply with § 200.304(b), § 200.306(c), or § 200.307(c), as applicable.

(6) If the Office of the General Counsel affirms the initial decision denying an inquiry or request for access or an accounting, it will issue a decision denying the inquiry or request and advising the requester of:

(i) The reasons for the denial; and

(ii) The requester's right to obtain judicial review of the decision pursuant to 5 U.S.C. 552a(g)(1)(B) or (g)(1)(D), as applicable.

(7) If the Office of the General Counsel determines that the decision of the Office of FOIA Services denying a request for amendment or correction should be upheld, it will issue a decision denying the request and the individual will be advised of:

(i) The decision refusing to amend or correct the record and the reasons therefor;

(ii) The requester's right to file a concise statement setting forth his or her disagreement with the decision not to amend or correct the record;

(iii) The procedures for filing such a statement of disagreement;

(iv) The fact that any such statement of disagreement will be made available to anyone to whom the record is disclosed, together with, if the Office of the General Counsel deems it appropriate, a brief statement setting forth the Office of the General Counsel's reasons for refusing to amend or correct;

(v) The fact that prior recipients of the record in issue will be provided with the statement of disagreement and the Office of the General Counsel's statement, if any, to the extent that an accounting of such disclosures has been maintained pursuant to 5 U.S.C. 552a(c); and

(vi) The requester's right to seek judicial review of the Office of the General Counsel's refusal to amend or correct, pursuant to 5 U.S.C. 552a(g)(1)(A).

(8) In appropriate cases the Office of the General Counsel may, in its sole discretion, refer matters requiring administrative review of initial decisions to the Commission for determination and the issuance, where indicated, of decisions.

(b) Statements of disagreement. As noted in paragraph (a)(6)(ii) of this section, a requester may file a statement setting forth his or her disagreement with the Office of the General Counsel's denial of the request for amendment or correction.

(1) Such statement of disagreement may be submitted by email ( foiapa@sec.gov) or online at the Commission's website at https://www.sec.gov/forms/request_public_docs. A requester who is not able to submit a statement of disagreement by email or online may submit a request by mail to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549 or other mailing address or facsimile number published on the Commission's website at https://www.sec.gov/oso/help/foia-contact.html. A requester must submit a statement of disagreement within 30 days after receipt of the Office of the General Counsel's decision denying the request for amendment or correction. For good cause shown this period can be extended for a reasonable time.

(2) Statements of disagreement should be concise and must clearly identify each part of any record that is disputed and state the basis for the requester's disagreement. The Office of the General Counsel will return unduly lengthy or irrelevant materials to the individual for appropriate revisions before they become a permanent part of the requester's record. Statements of disagreement will be placed in the system of records in which the disputed record is maintained. The disputed record will be marked to indicate that a statement of disagreement has been filed and where in the system of records it may be found.

(3) If a requester has filed a statement of disagreement, the Office of FOIA Services will append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request for amendment or correction.

(4) In appropriate cases, the Office of the General Counsel may, in its sole discretion, refer matters concerning statements of disagreement to the Commission for disposition.

§ 200.309

Fees.

(a) The only fee to be charged to a requester under this part is for the duplication of records to be disclosed to the requester. No fee will be charged or collected for: search, retrieval, or review of records; or duplication at the initiative of the Commission without a request from the requester. Fees for duplication will be charged at rates set forth on the FOIA web page of the Commission's website at www.sec.gov. Fees for duplication include any costs incurred in making records available on electronic storage devices.

(b) With regard to requests for amendment or correction, the Commission will provide the requester one copy of each record corrected or amended pursuant to his or her request without charge as evidence of the correction or amendment.

(c) Whenever the Office of FOIA Services determines that good cause exists to grant a request for reduction or waiver of fees for duplication costs, it may reduce or waive any such fees.

§ 200.310

Specific exemptions.

(a) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the following systems of records maintained by the Commission are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), and (f), and §§ 200.303, 200.305, and 200.307, insofar as they contain investigatory materials compiled for law enforcement purposes:

(1) Enforcement Files;

(2) Office of the General Counsel Working Files;

(3) Office of the Chief Accountant Working Files;

(4) Correspondence Response System;

(5) Tips, Complaints, and Referrals (TCR) Records; and

(6) SEC Security in the Workplace Incident Records.

(b) Pursuant to 5 U.S.C. 552a(k)(5), the systems of records containing the Commission's Disciplinary and Adverse Actions, Employee Conduct, and Labor Relations Files are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f), and §§ 200.303 through 200.309, insofar as they contain investigatory material compiled to determine an individual's suitability, eligibility, and qualifications for Federal civilian employment or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied Start Printed Page 65815 promise that the identity of the source would be held in confidence.

§ 200.311

Inspector General exemptions.

(a) Pursuant to, and limited by 5 U.S.C. 552a(j)(2), the system of records maintained by the Office of Inspector General of the Commission that contains investigative files is exempt from the provisions of 5 U.S.C. 552a, except sections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6), (e)(7), (e)(9), (e)(10), and (e)(11), and (i), and §§ 200.303 through 200.309, insofar as the system contains information pertaining to criminal law enforcement investigations.

(b) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of records maintained by the Office of Inspector General of the Commission that contains investigative files is exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) and §§ 200.303 through 200.309, insofar as it contains investigatory materials compiled for law enforcement purposes.

§ 200.312

[Reserved]

By the Commission.

Dated: September 20, 2023.

Vanessa A. Countryman,

Secretary.

Footnotes

1. See Release No. 34–96906 (Feb. 14, 2023), 88 FR 10483 (Feb. 21, 2023) (“Proposing Release”).

Back to Citation

2. These amendments are discussed in greater detail in Section IV. Economic Analysis.

Back to Citation

3. See, e.g., comments from Anonymous, dated Feb. 22, 2023; comments from Vince Navarro, dated Feb. 23, 2023; comments from Jonathan Dinkel, dated Mar. 1, 2023; comments from Household Harry, dated Mar. 1, 2023; comments from Chris Carrington, dated Mar. 5, 2023; comments from Curtis Higgins, dated Mar. 6, 2023; comments from D Skewis, dated Mar. 7, 2023; comments from Nick, dated Mar. 19, 2023; comments from Curtis, dated Mar. 23, 2023; comments Nathaniel Moraton, dated Apr. 7, 2023; and comments from Alexander MacCartney, dated Apr. 17, 2023.

Back to Citation

4. See, e.g., comments from Nick Ahlers, dated Feb. 24, 2023; comments from Angel Rodriguez, dated Feb. 27, 2023; comments from Richard Russell, dated Mar. 1, 2023; and comments from Bernie Bankman Griffin, dated Mar. 6, 2023.

Back to Citation

5. See Gillmore comment, dated Feb. 24, 2023.

Back to Citation

6. Id.

Back to Citation

7. Id.

Back to Citation

8. Id.

Back to Citation

9. 15 U.S.C. 78w(a).

Back to Citation

10. 15 U.S.C. 78c(f).

Back to Citation

11. One of the systems of records identified in the existing rule is obsolete. Another system of records had its name changed, and a new system of records was added.

Back to Citation

12. See Gillmore comment, dated Feb. 24, 2023.

Back to Citation

13. Id.

Back to Citation

14. 5 U.S.C. 552a(c)(3).

Back to Citation

15. 5 U.S.C. 605(b).

Back to Citation

16. 44 U.S.C. 3501 et seq.

Back to Citation

17. 44 U.S.C. 3507(d) and 5 CFR 1320.11.

Back to Citation

[FR Doc. 2023–20690 Filed 9–25–23; 8:45 am]

BILLING CODE 8011–01–P

Visit the Official Version

Document Information

Effective Date:: 10/26/2023
Published:: 09/26/2023
Department:: Securities and Exchange Commission
Entry Type:: Rule
Action:: Final rule.
Document Number:: 2023-20690
Dates:: Effective: October 26, 2023.
Pages:: 65807-65815 (9 pages)
Docket Numbers:: Release No. 34-98437, PA-60, File No. S7-03-23
RINs:: 3235-AN21: Privacy Act Amendments
RIN Links:: https://www.federalregister.gov/regulations/3235-AN21/privacy-act-amendments
Topics:: Administrative practice and procedure, Privacy
PDF File:: 2023-20690.pdf
CFR: (12): 17 CFR 200.301; 17 CFR 200.302; 17 CFR 200.303; 17 CFR 200.304; 17 CFR 200.305; More ...