65 FR 74 pgs. 20372-20380 - National Reconnaissance Office Privacy Act Program
Type: RULEVolume: 65Number: 74Pages: 20372 - 20380
FR document: [FR Doc. 00-9417 Filed 4-14-00; 8:45 am]
Agency: Defense Department
Sub Agency: National Reconnaissance Office
Official PDF Version: PDF Version
DEPARTMENT OF DEFENSE
National Reconnaissance Office
32 CFR Part 326
National Reconnaissance Office Privacy Act Program
National Reconnaissance Office, DOD
This rule establishes the National Reconnaissance Office Privacy Act Program. This rule establishes policies and procedures for implementing the NRO Privacy Program, and delegates authorities and assigns responsibilities for the administration of the NRO Privacy Program.
March 20, 2000.
National Reconnaissance Office, Information Access and Release Center, 14675 Lee Road, Chantilly, VA 20151-1715.
FOR FURTHER INFORMATION CONTACT:
Ms. Barbara Freimann at (703) 808-5029.
The proposed rule for the NRO Privacy Act Program was published on January 19, 2000, at 65 FR 2912. No comments were received, therefore, the rule is being adopted as a final rule.
Executive Order 12866, Regulatory Planning and Review
It has been determined that 32 CFR part 326 is not a significant regulatory action. The rule does not:
(1) Have an annual effect to the economy of $100 million or more; or adversely affect in a material way the economy; a section of the economy; productivity; competition; jobs; the environment; public health or safety; or state, local, or tribal governments or communities;
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another Agency;
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof;
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive Order.
Public Law 96-354, Regulatory Flexibility Act (5 U.S.C. 601)
It has been certified that this rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities.
Public Law 96-511, Paperwork Reduction Act (44 U.S.C. Chapter 35)
It has been certified that this part does not impose any reporting or record keeping requirements under the Paperwork Reduction Act of 1995.
List of Subjects in 32 CFR Part 326
Accordingly, Title 32 of the CFR is amended in Chapter I, subchapter O, by adding part 326 to read as follows:
PART 326--NATIONAL RECONNAISSANCE OFFICE PRIVACY ACT PROGRAM
Sec. 326.1 Purpose.326.2 Application.326.3 Definitions.326.4 Policy.326.5 Responsibilities.326.6 Policies for processing requests for records.326.7 Procedures for collection.326.8 Procedures for requesting access.326.9 Procedures for disclosure of requested records.326.10 Procedures to appeal denial of access to requested record.326.11 Special procedures for disclosure of medical and psychological records.326.12 Procedures to request amendment or correction of record.326.13 Procedures to appeal denial of amendment.326.14 Disclosure of record to person other than subject.326.15 Fees.326.16 Penalties.326.17 Exemptions.
Pub. L. 93-579, 88 Stat 1896 (5 U.S.C. 552a).
§ 326.1 Purpose.
This part implements the basic policies and procedures outlined in the Privacy Act of 1974, as amended (5 U.S.C. 552a), and 32 CFR part 310; and establishes the National Reconnaissance Office Privacy Program (NRO) by setting policies and procedures for the collection and disclosure of information maintained in records on individuals, the handling of requests for amendment or correction of such records, appeal and review of NRO decisions on these matters, and the application of exemptions.
§ 326.2 Application.
Obligations under this part apply to all employees detailed, attached, or assigned to or authorized to act as agents of the National Reconnaissance Office. The provisions of this part shall be made applicable by contract or other legally binding action to government contractors whenever a contract is let for the operation of a system of records or a portion of a system of records.
§ 326.3 Definitions.
Access. The review or copying of a record or its parts contained in a system of records by a requester.
Agency. Any executive or military department, other establishment, or entity included in the definition of agency in 5 U.S.C. 522(f).
Control. Ownership or authority of the NRO pursuant to federal statute or privilege to regulate official or public access to records.
Disclosure. The authorized transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency other than the subject of the record, the subject's designated agent, or the subject's legal guardian.
He, him, and himself. Generically used in this part to refer to both males and females.
Individual or requester. A living citizen of the U.S. or an alien lawfully admitted to the U.S. for permanent residence and to whom a record might pertain. The legal guardian or legally authorized agent of an individual has the same rights as the individual and may act on his behalf. No rights are vested in the representative of a dead person or in persons acting in an entrepreneurial (for example, sole proprietorship or partnership) capacity under this part.
Interested party. Any official in the executive (including military), legislative, or judicial branches of government, U.S. or foreign, or U.S. Government contractor who, in the sole discretion of the NRO, has a subject matter or physical interest in the documents or information at issue.
Maintain. To collect, use, store, disclose, retain, or disseminate when used in connection with records.
Originator. The NRO employee or contractor who created the document at issue or his successor in office or any official who has been delegated release or declassification authority pursuant to law.
Personal information. Information about any individual that is intimate or private to the individual, as distinguished from 'corporate information' which is in the public domain and related solely to the individual's official functions or public life (i.e., employee's name, job title, work phone, grade/rank, job location).
Privacy Act Coordinator. The NRO Information and Access Release Center Chief who serves as the NRO manager ofthe information review and release program instituted under the Privacy Act.
Record. Any item, collection, or grouping of information about an individual that is maintained by the NRO, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name or identifying number (such as Social Security or employee number), symbol, or other identifying particular assigned to the individual, such as fingerprint, voice print, or photograph. Records include data about individuals which is stored in computers.
Responsive record. Documents or records that the NRO has determined to be within the scope of a Privacy Act request.
Routine use. The disclosure of a record outside the Department of Defense (DoD) for a use that is compatible with the purpose for which the information was collected and maintained by NRO. Routine use encompasses not only common or ordinary use, but also all the proper and necessary uses of the record even if such uses occur infrequently. All routine uses must be published in the Federal Register .
System managers. Officials who have overall responsibility for a Privacy Act system of records.
System notice. The official public notice published in the Federal Register of the existence and general content of the system of records.
System of records. A group of any records under the control of the NRO from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to that individual.
Working days. Days when the NRO is operating and specifically excludes Saturdays, Sundays, and legal public holidays.
§ 326.4 Policy.
(a) Records about individuals-
(1) Collection. The NRO will safeguard the privacy of individuals identified in its records. Information about an individual will, to the greatest extent practicable, be collected directly from the individual, and personal information will be protected from unintentional or unauthorized disclosure by treating it as marked 'For Official Use Only.' Access to personal information will be restricted to those employees whose official duties require it during the regular course of business.
(i) Privacy Act Statement. When an individual is requested to furnish personal information about himself for inclusion in a system of records, a Privacy Act Statement is required to enable him to make an informed decision whether to provide the information requested. A Privacy Act Statement may appear, in order of preference, at the top or bottom of a form, on the reverse side of a form, or attached to the form as a tear-off sheet.
(ii) Social Security Numbers (SSNs). It is unlawful for any governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of an individual in a system of records that was established and in use before January 1, 1975, this restriction does not apply. When collecting the SSN, a 'qualified' Privacy Act Statement must be provided even if the SSN will not be maintained in a system of records. The 'qualified' Privacy Act Statement shall inform the individual whether the disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
(2) Maintenance. The NRO will maintain in its records only such information about an individual which is accurate, relevant, timely, and necessary to accomplish a purpose which is required by statute or Executive Order. All records used by the NRO to make determinations about individuals will be maintained with such accuracy and completeness as is reasonably necessary to assure fairness to the individual.
(3) Existence. The applicability of the Privacy Act depends on the existence of an identifiable record. The procedures described in NRO regulations do not require that a record be created or that an individual be given access to records that are not retrieved by name or other individual identifier. Nor do these procedures entitle an individual to have access to any information compiled in reasonable anticipation of a civil action or proceeding. NRO will maintain only those systems of records that have been described through notices published in the Federal Register . A system of records from which records may be retrieved by a name or some other personal identifier must be under NRO control for consideration under this part.
(4) Disposal. The NRO will archive, dispose of, or destroy records containing personal data in a manner to prevent specific records from being readily identified or inadvertently compromised.
(b) Evaluation of records. Statutory authority to establish and maintain a system of records does not grant unlimited authority to collect and maintain all information which may be useful or convenient. Directorates and offices maintaining records will evaluate each category of information in records systems for necessity and relevance prior to republication of all system notices in the Federal Register and during the design phase or change of a system of records. The following will be considered in the evaluation:
(1) Relationship of each item of information to the statutory purpose for which the system is maintained;
(2) Specific adverse consequences of not collecting each category of information; and
(3) Techniques for purging parts of the records.
(c) Disclosure of records. The NRO will provide the fullest access practicable by individuals to NRO records concerning them. Release of personal information to such individuals is not considered public release of information. Upon receipt of a written request, the NRO will release to individuals those records that are releasable and applicable to the individual making the request. Generally, information, other than that exempted by law and this part, will be provided to the individual. NRO personnel will comply with the Privacy Act of 1974, as amended, the DoD Privacy Act Program (32 CFR part 310), and the NRO Privacy Act Program. No NRO records shall be disclosed by any means of communication to any person or to any agency except pursuant to a written request by or the prior written consent of the individual to whom it pertains, unless disclosure of the record will be:
(1) To those employees of the NRO who have an official need for the record in the performance of their duties.
(2) Required to be disclosed to a member of the public under the Freedom of Information Act, as amended.
(3) For a routine use as defined in the Privacy Act.
(4) To the Census Bureau for the purpose of conducting a census or survey or related activity authorized by law.
(5) To a recipient who has provided the NRO with advance, adequate written assurance that the record will be used solely as statistical research and that the record is to be transferred in a form in which the individual is not identifiable.
(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the U. S. Government.
(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the U.S. for a civil or criminal law enforcement activity if such activity is authorized by law and if the head of the agency or governmental entity has made a written request to the NRO specifying the particular portion of the record and the law enforcement activity for which the record is sought (blanket requests will not be accepted); a record may also be disclosed to a law enforcement agency at the initiative of the NRO pursuant to the blanket routine use for law enforcement when criminal conduct is indicated in the record.
(8) To a person showing compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is sent to the last known address of the individual to whom the record pertains (emergency medical information may be released by telephone).
(9) To Congress or any committee, joint committee, or subcommittee of Congress with respect to a matter under its jurisdiction. This provision does not authorize the disclosure of a record to members of Congress acting in their individual capacities or on behalf of their constituents making third party requests. However, such releases may be made pursuant to the blanket routine use for Congressional inquiries when a constituent has sought the assistance of his Congressman forthe constituent's individual record(s).
(10) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the General Accounting Office.
(11) Pursuant to an order of a court of competent jurisdiction. When the record is disclosed under compulsory legal process and when the issuance of that order or subpoena is made public by the court which issued it, the NRO will make reasonable efforts to notify the individual to whom the record pertains by mail at the most recent address contained in NRO records.
(12) To a consumer reporting agency in accordance with 31 U.S.C. 3711(f).
(d) Allocation of resources. NRO components shall exercise due diligence in their responsibilities under the Privacy Act and must devote a reasonable level of personnel to respond to requests on a 'first-in, first-out' basis. In allocating Privacy Act resources, the component shall consider its imposed business demands, the totality of resources available to it, the information review and release demands imposed by Congress and other governmental authorities, and the rights of the public under various disclosure laws. The PA Coordinator will establish priorities for cases consistent with established law to ensure that smaller as well as larger 'project' cases receive equitable attention.
(e) Written permission for disclosure. Disclosures made under circumstances not delineated in this part shall be made only if the written permission of the individual involved has been obtained. Written permission shall be recorded on or appended to the document transmitting the personal information to the other agency, in which case no separate accounting of the disclosure need be made. Written permission is required in each case; that is, once obtained, written permission for one case does not constitute blanket permission for other disclosures.
(f) Coordination with other government agencies. Records systems of the NRO may contain records originated by other agencies that may have claimed exemptions for them under the Privacy Act. Where appropriate, coordination will be effected with the originating agency. The NRO will comply with the instructions issued by another agency responsible for a system of records (e.g., Office of Personnel Management) in granting access to such records. Records containing information or interests of another government agency will not be released until coordination with the other agency involved. A request for information pertaining to the individual in an NRO record system received from another federal agency will be coordinated with the originating agency.
(g) Accounting for disclosure. Except for disclosures made under paragraphs (c)(1) and (c)(2) of this section, an accurate account of the disclosures shall be kept by the record holder in consultation with the Privacy Act Coordinator (PA Coordinator). There need not be a notation on a single document of every disclosure of a particular record. The record holder should be able to construct from its system of records the accounting information:
(1) When required by the individual to whom the record pertains, or
(2) When necessary to inform previous recipients of any amended records. The accounting shall be retained for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of this section.
(h) Application of rules. Any request for access, amendment, correction, etc., of personal record information in a system of records by an individual to whom such information pertains will be governed by the Privacy Act of 1974, as amended, DoD regulatory authority, and this part, exclusively. Any denial or exemption of all or part of a record from access, disclosure, amendment, correction, etc., will be processed under DoD regulatory authority and this part, unless court order or other competent authority directs otherwise.
(i) First Amendment rights. No NRO official or component may maintain any information pertaining to the exercise by an individual of his rights under the First Amendment without the permission of that individual unless such collection is specifically authorized by statute or pertains to an authorized law enforcement activity.
(j) Non-system information on individuals. The following information is not considered part of personal records systems reportable under this part and may be maintained by NRO for ready identification, contact, and property control purposes only, provided it is not maintained in a system of records. If at any time the information described in this paragraph is being maintained in a system of records, the information is subject to the Privacy Act.
(1) Identification information at doorways, building directories, desks, lockers, name tags, etc.
(2) Geographical or agency contact cards.
(3) Property receipts and control logs for building passes, credentials, vehicles, etc.
(4) Personal working notes of employees that are merely an extension of the author's memory, if maintained properly, do not come under the Privacy Act. Personal notes are not considered official NRO records if they meet the following requirements:
(i) Keeping or discarding notes must be at the sole discretion of the author. Any requirement by supervising authority, whether by oral or written directive, regulation, policy, or memo to maintain such notes, likely would cause the notes to become official agency records.
(ii) Such notes must be restricted to the author's personal use as memory aids, and only the author may have access to them. Passing them to a successor or showing them to other personnel (including supporting staff such as secretaries) would likely cause them to become agency records.
(5) Rosters. The NRO has no restriction against rosters that contain only corporate information such as name, work telephone number, and position. Good recordkeeping practices dictate that only rosters that are relevant and necessary to the NRO's operations may be maintained, and therefore convenience rosters, which by definition do not satisfy the test, may not be maintained.
§ 326.5 Responsibilities.
(a) The Director, NRO (DNRO):
(1) Supervises the execution of the Privacy Act and this part within the NRO.
(i) The Chief, Information Access and Release Center as the NRO Privacy Act Coordinator.
(ii) The Director of Security, the Director of Policy, and the NRO General Counsel as the NRO Appeals Panel; and
(b) The Privacy Act Coordinator, NRO:
(1) Establishes, issues, and updates policy for the NRO Privacy Act Program, monitors compliance, and serves as the principal NRO point of contact on all Privacy Act matters.
(2) Receives, processes, and responds to all PrivacyAct requests received by the NRO, including:
(i) Granting, granting in part, or denying an initial Privacy Act request for access or amendment to a record, and notifying a requester of such actions taken in regard to that request.
(ii) Granting a requester access to all or part ofa record under dispute when, after a review, a decision is made in favor of a requester.
(iii) Directing the appropriate NRO component to amend a record and advising other record holders to amend a record when a decision is made in favor of a requester.
(iv) Notifying a requester, if a request is denied, of the reasons for denial and the procedures for appeal to the Privacy Act Appeal Authority.
(v) Notifying a requester of his right to file a concise statement of his reasons for disagreement with the NRO's refusal to amend a record.
(vi) Directing that a requester's statement of reasons for the request to amend, his concise statement of disagreement with the NRO's refusal to amend a record, and the NRO's letter of denial be included in the file containing the disputed record.
(vii) Referring all appeals to the Privacy Act Appeals Panel and Appeal Authority.
(viii) Notifying a requester of any required fees and delivering such collected fees to the Comptroller.
(ix) Obtaining supplemental information from the requester when required.
(3) Serves as the NRO point of contact with the Defense Privacy Office.
(4) Reviews NRO use of records, and at least 40 calendar days prior to establishing a new agency system of records, ensures that new or amended notices are prepared and published in the Federal Register consistent with the requirements of 32 CFR part 310;
(5) Coordinates with forms managers to ensure that a Privacy Act Statement is on all forms or in all other methods used to collect personal information for inclusion in any NRO records system;
(6) Prepares the NRO Privacy Act report for submission to the DoD Privacy Office and to other authorities, as required by 32 CFR part 310.
(7) Reviews all procedures, including forms, which require an individual to furnish information for conformity with the Privacy Act.
(8) Retains the accounting of disclosures for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of § 326.4; and
(9) Develops and oversees Privacy Act Program training for NRO personnel.
(c) The Privacy Act Appeals Panel, NRO:
(1) Meets and reviews all denials appealed by means of the NRO internal appeals process; and
(2) Recommends a finding to the Privacy Act Appeal Authority by a majority vote of those present at the meeting and based on the written record and the panel's deliberations.
(d) The Privacy Act Appeal Authority, NRO:
(1) Determines all NRO Privacy Act appeals.
(2) Reports the determination to the PA Coordinator.
(3) Signs the final appeal letter to the requester.
(e) General Counsel, NRO:
(1) Ensures uniformity in NRO legal positions concerning the Privacy Act and reviews proposed responses to Privacy Act requests to ensure legal sufficiency, as appropriate.
(2) Consults with DoD General Counsel on final denials that may be inconsistent with other final decisions within DoD; raises new legal issues of potential significance to other government agencies.
(3) Provides advice and assistance to the DNRO, the PA Coordinator, and component Directors, as required, in the discharge of their responsibilities pertaining to the Privacy Act.
(4) Advises on all legal matters concerning the Privacy Act, including legal decisions, rulings by the Department of Justice, and actions by DoD and other commissions on the Privacy Act.
(5) Approves all Privacy Act Statements prior to their reproduction and distribution.
(6) Acts as the NRO focal point for Privacy Act litigation with the Department of Justice.
(7) Provides a status report to the Defense Privacy Office, consistent with the requirements of 32 CFR part 310, whenever an individual brings suit under subsection (g) of the Privacy Act against NRO.
(f) Chief Information Officer (CIO), NRO:
(1) Ensures that NRO systems of records databases have procedures to protect the confidentiality of personal records maintained or processed by means of automatic data processing (ADP) systems and ensures that ADP systems contain appropriate safeguards for the privacy of personnel.
(2) Coordinates with the PA Coordinator before developing or modifying CIO-sponsored ADP supported files subject to the provisions of this part.
(g) Directorate and Office Managers, NRO:
(1) Ensure that records contained in their directorate or office systems of records are disclosed only to those NRO officials or employees who require the records for official purposes.
(2) Review their own directorate and office systems of records to ensure and certify that no systems of records other than those listed in the Federal Register System Notices are maintained; notify the CIO and the PA Coordinator promptly whenever there are changes to processing equipment, hardware, software, or database that may require an amended system notice.
(3) Maintain only such information about an individual as is relevant and necessary to accomplish a purpose which is required by statute or Executive Order and identify the specific provision of law or Executive Order which provides authority for the maintenance of information in each system of records.
(h) System Managers, NRO:
(1) Ensure that adequate safeguards have been established and are enforced to prevent the misuse, unauthorized disclosure, alteration, or destruction of personal information contained in system records.
(2) Ensure that all personnel who have access tothe system of records, or are engaged in developing or supervising procedures for handling records, are aware of their responsibilities established by the NRO Privacy Act Program.
(3) Evaluate each system of records during the planning stage and at regular intervals. The following factors should be considered:
(i) Relationship of data to be collected and retained to the purposes for which the system is maintained (all information must be relevant and necessary to the purpose for which it is collected).
(ii) The specific impact on the purpose or mission if categories of information are not collected (all data fields must be necessary to accomplish a lawful purpose or mission).
(iii) Whether informational needs can be met without using personal identifiers.
(iv) The cost of maintaining and disposing of records within the systems of records and the length of time each item of information must be retained according to the NRO Records Control Schedule as approved by the National Archives and Records Administration.
(4) Review system alterations or amendments to evaluate for relevancy and necessity.
(i) Forms and Information Managers. All NRO individualsresponsible for forms or methods used to collect personal information from individuals will:
(1) Ensure that Privacy Act Statements are on appropriate forms and that new forms have the required Privacy Act Statement.
(2) Determine, with General Counsel's concurrence, which forms require Privacy Act Statements and will prepare such statements.
(3) Assist the initiators in determining whether a form, format, questionnaire, or report requires a Privacy Act Statement. Privacy Act Statements must be complete, specific, written in plain English, and approved by the Office of General Counsel.
(j) Employees, NRO:
(1) Will be familiar with the provisions of this part regarding the maintenance of systems of records, authorized access, and authorized disclosure;
(2) Will collect, maintain, use, and/or disseminate records containing identifiable personal information only for lawful purposes; will keep the information current, complete, relevant, and accurate for its intended use; and will safeguard the records in a system and keep them the minimum time required;
(3) Will not disclose any personal information contained in any system of records, except as authorized by the Privacy Act and this part;
(4) Will maintain no system of records concerning individuals except those authorized, and will maintain no other information concerning individuals except as necessary for the conduct of business at the NRO;
(5) Will provide individuals a Privacy Act Statement when asking them to provide information about themselves. The Privacy Act Statement will include the authority under which the information is being requested, whether disclosure of the information is mandatory or voluntary, the purposes for which it is being requested, the uses to which it will be put, and the consequences of not providing the information;
(6) May not deny an individual any right or privilege provided by law because of that individual's failure to disclose his SSN unless such information is required by federal statute or disclosure was required by statute or regulations adopted prior to January 1, 1975. If disclosure of the SSN is not required, NRO directorates and offices are not precluded from requesting it from individuals; however, the Privacy Act Statement must make clear that the disclosure of the SSN is voluntary and, if the individual refuses to disclose it, must be prepared to identify him by alternate means.
(7) Will collect personal information directly from the subject whenever possible; employees may collect information from third parties when that information must be verified, opinions or evaluations are required, the subject cannot be contacted, or the subject requests it.
(8) Will keep paper and electronic records which contain personal information and are retrieved by name or personal identifier only in approved systems published in the Federal Register.
(9) Will amend and correct records when directed by the PA Coordinator.
(10) Will report to the PA Coordinator any disclosures of personal information from a system of records, or the maintenance of any system of records, not authorized by this part.
§ 326.6 Policies for processing requests for records.
(a) An individual's written request for access to records about himself which does not specify the Act under which the request is made will be processed under both the Freedom of Information Act (FOIA) and the Privacy Act and the applicable regulations. Such requests will be processed under both Acts regardless of whether the requester cites one Act, both, or neither in the request in order to ensure the maximum possible disclosure to the requester. Individuals may not be denied access to a record pertaining to themselves merely because those records are exempt from disclosure under the FOIA.
(b) A Privacy Act request that neither specifies the system(s) of records to be searched nor identifies the substantive nature of the information sought will be processed by searching the systems of records categorized as Environmental Health, Safety and Fitness, FOIA/Privacy, General, and Security.
(c) A Privacy Act request that does not designate the system(s) of records to be searched but does identify the substantive nature of the information sought will be processed by searching those systems of records likely to have information similar to that sought by the requester.
(d) The NRO will not disclose any record to any person or government agency except by written request or prior written consent of the subject of the record unless the disclosure is required by law or is within the exceptions of the Privacy Act. If a requester authorizes another individual to obtain the requested records on his behalf, the requester shall provide a written, signed, notarized statement appointing that individual as his representative and certifying that the individual appointed may have access to the requester's records and that such access shall not constitute an invasion of his privacy nor a violation of his rights under the Privacy Act. In lieu of a notarized statement, the NRO will accept a declaration in accordance with 28 U.S.C. 1746.
(e) Upon receipt of a written request, the Privacy Act Coordinator (PA Coordinator) will release to the requester those records which are releasable and applicable to the individual making the request. Records about individuals include data stored electronically or in electronic media. Documentary material qualifies as a record if the record is maintained in a system of records.
(f) Initial availability, potential for release, and cost determination will usually be made within ten working days of the date on which a written request for any identifiable record is received by the NRO (and acknowledgement is sent to the individual). If additional time is needed due to unusual circumstances, a written notification of the delay will be forwarded to the requester within the ten working day period. This notification will briefly explain the circumstances for the delay and indicate the anticipated date for a substantive response.
(g) All requests will be handled in the order received on a 'first-in, first-out' basis. Requests will be considered for expedited processing only if the NRO determines that there is a genuine health, humanitarian, or due process reason involving possible deprivation of life or liberty which creates an exceptional and urgent need, that there is no alternative forum for the records sought, and that substantive records relevantto the stated needs may exist and be releasable.
(h) Records provided or originated by another agency or containing other agency information will not be released prior to coordination with the other agency involved.
(i) Requesting or obtaining access to records under false pretenses is a violation of the Privacy Act and is subject to criminal penalties.
§ 326.7 Procedures for collection.
(a) To the maximum extent practical, personal information about an individual will be obtained directly from that individual.
(b) Whenever an individual is asked to provide personal information, including Social Security Number (SSN) or a personal identifier, about himself, a Privacy Act Statement will be furnished that will advise him of the authority (whether by statute or by Executive Order) under which the information is requested, whether disclosure of the information is voluntaryor mandatory, the purposes for which it is requested, the uses to which it will be put, and the consequences of not providing the information.
(c) When asking third parties to provide information about other individuals, NRO employees will advise them:
(1) Of the purpose of the request, and
(2) That their identities and the information they are furnishing may be released to the individual unless they expressly request confidentiality. All persons interviewed must be informed of their rights and offered confidentiality.
§ 326.8 Procedures for requesting access.
(a) Request in writing. An individual seeking notification of whether a system of records contains a record pertaining to him, or an individual seeking access to records pertaining to him which are available under the Privacy Act, shall address the request in writing to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715. The request should contain at least the following information:
(1) Identification. Reasonable identification, including first name, middle name or initial, surname, any aliases or nicknames, Social Security Number, and return address of the individual concerned, accompanied by a signed notarized statement that such information is true under penalty of perjury and swearing to or affirming his identity. An unsworn declaration, under 28 U.S.C. 1746, also is acceptable. In the case of a request for records of a sensitive nature if the PA Coordinator determines that this information does not sufficiently identify the individual, the PA Coordinator may requests additional identification or clarification of information submitted by the individual.
(i) In addition, an alien lawfully admitted for permanent residence shall provide his Alien Registration Number and the date that status was acquired.
(ii) The parent or guardian of a minor or of a person judicially determined to be incompetent, or an attorney retained to represent an individual, in addition to establishing the identity of the minor or person represented as required in this part, shall provide evidence of his own identity as required in this part and evidence of such parentage, guardianship, or representation by submitting a certified copyof the minor's birth certificate, the court order establishing such guardianship, or the representation agreement which establishes the relationship.
(2) Cost. A statement of willingness to pay reproduction costs. Processing of requests and administrative appeals from individuals who owe outstanding fees will be held in abeyance until such fees are paid.
(3) Record sought. A description, to the best of his ability, of the nature of the record sought and the system in which it is thought to be included. In lieu of this, a requester may simply describe why and under what circumstances he believes that the NRO maintains responsive records; the NRO will undertake the appropriate searches.
(b) Access on behalf of the individual. If the requester wishes another person to obtain the records on his behalf, the requester will furnish a notarized statement or unsworn declaration appointing that person as his representative, authorizing him access to the record, and affirming that access will not constitute an invasion of the requester's privacy or a violation of his rights under the Privacy Act. The NRO requires a written statement to authorize discussion of the individual's record in the presence of a third person.
§ 326.9 Procedures for disclosure of requested information.
(a) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days.
(b) Upon receipt of a request, the PA Coordinator shall refer the request to those components most likely to possess responsive records. The components shall search all relevant record systems within their cognizance and shall:
(1) Determine whether a responsive record exists in a system of records.
(2) Determine whether access must be denied and on what legal basis. An individual may be denied access to his records under the Privacy Act only if an exemption has been properly claimed for all or part of the records or information requested; or if the information was compiled in reasonable anticipation of a civil action or proceeding.
(3) Approve the disclosure of records for which they are the originator.
(4) Forward to the PA Coordinator all records approved for release or necessary for coordination with or referral to another originator or interested party as well as notification of the specific determination for any denial.
(c) When all records have been collected, the PA Coordinator shall notify the individual of the determination and shall provide an exact copy of records deemed to be accessible if a copy has been requested.
(d) When an original record is illegible, incomplete, or partially exempt from release, the PA Coordinator shall explain in terms understood by the requester the portions of a record that are unclear.
(e) If access to requested records, or any portion thereof, is denied, the PA Coordinator shall inform the requester in writing of the specific reason(s) for denial, including the specific citation to appropriate sections of the Privacy Act or other statutes, this and other NRO regulations, or the Code of Federal Regulations authorizing denial, and the right to appeal this determination through the NRO appeal procedure within 60 calendar days. The denial shall include the date of denial, the name and title/position of the denial authority, and the address of the NRO Appeal Authority. Access may be refused when the records are exempt by the Privacy Act. Usually an individual will not be denied access to the entire record, but only to those portions to which the denial of access furthers the purpose for which an exemption was claimed.
§ 326.10 Procedures to appeal denial of access to requested record.
(a) Any individual whose request for access is denied may request a review of the initial decision within 60 calendar days of the date of the notification of denial of access by appealing within the NRO internal appeals process. If a requester elects to request NRO review, the request shall be sent in writing to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715, briefly identifying the particular record which is the subject of the request and setting forth the reasons for the appeal. The request should enclose a copy of the denial correspondence. The following procedures apply to appeals within the NRO:
(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.
(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.
(3) The PA Coordinator shall consolidate the component responses, review the record, direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination, and make a recommendation to the NRO Appeals Panel, which makes a recommendation to the Appeal Authority.
(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal, who shall notify the individual of the determination in writing.
(5) If the determination reverses the initial denial, the PA Coordinator shall provide a copy of the records requested. If the determination upholds the initial denial, the PA Coordinator shall inform the requester of his right to judicial review in U.S. District Court and shall include the exact reasons for denial with specific citations to the provisions of the Privacy Act, other statutes, NRO regulations, or the Code of Federal Regulations upon which the determination is based.
(b) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.
§ 326.11 Special procedures for disclosure of medical and psychological records.
When requested medical and psychological records are not exempt from disclosure, the PA Coordinator may determine which non-exempt medical or psychological records should not be sent directly to the requester because of possible harm or adverse impact to the requester or another person. In that event, the information may be disclosed to a physician named by the requester. The appointment of the physician will be in the same notarized form or declaration as described in § 326.8 and will certify that the physician is licensed to practice in the appropriate specialty (medicine, psychology, or psychiatry). Upon designation, verification of the physician's identity, and agreement by the physician to review the documents with the requester to explain the meaning of the documents and to offer counseling designed to mitigate any adverse reaction, the NRO will forward such records to the designated physician. If the requester refuses or fails to designate a physician, the record shall not be provided. Under such circumstances refusal of access is not considered a denial for Privacy Act reporting purposes. However, if the designated physician declines to furnish the records to the individual, the PA Coordinator will take action to ensure that the records are provided to the individual.
§ 326.12 Procedures to request amendment or correction of record.
(a) An individual may request amendment or correction of a record pertaining to him/her by addressing such request in writing, to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715. Incomplete or inaccurate requests will not be rejected categorically; instead, the requester will be asked to clarify the request as needed. A request will not be rejected or require resubmission unless additional information is essential to process the request. Usually, amendments under this part are limited to correcting factual errors and not matters of official judgment, such as promotion ratings and job performance appraisals. The requester must adequately support his claim and must identify:
(1) The particular record he wishes to amend or correct, specifying the number of pages and documents, the titles of the documents, form numbers if any, dates on documents, and individuals who signed them. Any reasonable description of the documents is acceptable. A clear and specific description of passages, pages, or documents to be amended will expedite processing the request.
(2) The desired amending language. The requester should specify the type of amendment, including complete removal of data, passages, or documents from record or correction of information to make it accurate, more timely, complete, or relevant.
(3) A justification for such amendment or correctionto include any documentary evidence supporting the request.
(b) Individuals will be required to provide verification of identity as in § 326.8. to ensure that the requester is seeking to amend records pertaining to himself and not, inadvertently or intentionally, the records of another individual.
(c) Minor factual errors in an individual's personal record may be corrected routinely upon request without resort to the Privacy Act or the provisions of this part, if the requester and the record holder agree to that procedure and the requester receives a copy of the corrected record whenever possible. A written request is not required when individuals indicate amendments during routine annual review and updating of records programs conducted by the NRO for civilian personnel and the Services for military personnel. Requests for deletion, removal of records, and amendment of substantive factual information will be processed according to the Privacy Act and the provisions of this part.
(d) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days. No separate acknowledgement of receipt is necessary if the request can be either approved or denied and the requester advised within the ten-day period. For written requests presented in person, written acknowledgement may be provided at the time the request is presented.
(e) The PA Coordinator shall refer such request to the record-holder components, shall advise those components of the date of receipt, and shall request that those components make a prompt determination on such request.
(f) The record-holder components shall promptly:
(1) Make any amendment or correction to any portion of the record which the individual believes is not accurate, relevant, timely, or complete and notify the PA Coordinator and all holders and recipients of such records and their amendments that the correction was made; or
(2) Set forth the reasons for the refusal, if they determine that the requested amendment or correction will not be made or if they decline to make the requested amendment but instead augment the official record, and so inform the PA Coordinator.
(g) The Privacy Act Coordinator shall:
(1) Inform the requester of the agency's determination to make the amendment or correction as requested and notify all prior recipients of the change to the disputed records for which an accounting had been required; or
(2) Inform the requester of the specific reasons and legal authorities for the agency's refusal and the procedures established for him to request a review of that refusal.
(h) The amendment procedure is not intended to replace other existing procedures such as those for registering grievances or appealing performance appraisal reports. In such cases the requester will be apprised of the appropriate procedures for such actions.
(i) This part does not permit the alteration of evidence presented to courts, boards, or other official proceedings.
§ 326.13 Procedures to appeal denial of amendment.
(a) Any individual whose request for amendment or correction is denied may request a review of the initial decision within 60 calendar days of the date of the notification of denial by appealing within the NRO internal appeals process. If a requester elects to request NRO review, the request shall be sent in writing to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715, briefly identifying the particular record which is the subject of the request and setting forth the reasons for the appeal. The request should enclose a copy of the denial correspondence. The following procedures apply to appeals within the NRO:
(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.
(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.
(3) The PA Coordinator shall act as secretary of the Appeals Panel. He shall:
(i) Consolidate the component responses and reasons for the initial denial.
(ii) Provide all supporting materials both furnished to and by the requester and the record-holding component.
(iii) Review the record.
(iv) Direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination.
(v) Prepare the record and schedule the appeal for the next meeting of the Appeals Panel. The Appeals Panel shall recommend a finding to the Appeal Authority by a majority vote of those present at the meeting based on the written record and the Panel's deliberations. No personal appearances shall be permitted without the express permission of the Panel.
(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal who shall notify the individual of the determination in writing.
(5) The Appeal Authority will notify the PA Coordinator if the determination is that the record should be amended. The PA Coordinator will promptly advise the requester and the office holding the record to amend the record and to notify all prior recipients of the records for which an accounting was required of the change.
(6) If the determination upholds the initial denial, in whole or in part, the PA Coordinator shall inform the requester:
(i) Of the denial and the reason.
(ii) Of his right to file in NRO records within 60 calendar days a concise statement of the reasons for disputing the information contained in the record. If the requester elects to file a statement of disagreement, the PA Coordinator will be responsible for clearly noting any portion of the record that is disputed and for appending into the file the requester's statement as well as a copy of the NRO's letter to the requester denying the disputed information, if appropriate. The requester's statement and the NRO denial letter will be made available to anyone to whom the record is subsequently disclosed, and prior recipients of the disputed record will be provided a copy of both to the extent that an accounting of disclosures is maintained.
(iii) Of his right to judicial review in U.S. District Court.
(7) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.
§ 326.14 Disclosure of records to person other than subject.
(a) Personal records contained in a Privacy Act system of records maintained by NRO shall not be disclosed by any means to any person or agency outside the NRO except with the written consent of the individual subject of the record, unless as provided in this part.
(b) Except for disclosure made to members of the NRO in connection with their official duties and disclosures required by the Freedom of Information Act, an accounting will be kept of all disclosures of records maintained in NRO systems of records and of all disclosures of investigative information. Accounting entries will record the date, kind of information, purpose of each disclosure, and the name and address of the person or agency to whom the disclosure is made. Accounting records will be maintained for at least five years after the last disclosure or for the life of the record, whichever is longer. Subjects of NRO records will be given access to associated accounting records upon request except for disclosures made pursuant to § 326.4, or where an exemption has been properly claimed for the system of records.
§ 326.15 Fees.
Individuals requesting copies of their official personnel records are entitled to one free copy; a charge will be assessed for additional copies. There is a cost of $.15 per page. Fees will not be assessed if the cost is less than $30.00. Fees should be paid by check or postal money order payable to the Treasurer of the United States and forwarded to the Privacy Act Coordinator, NRO, at the time the copy of the record is delivered. In some instances, fees will be due in advance.
§ 326.16 Penalties.
Each request shall be treated as a certification by the requester that he is the individual named in the request. The Privacy Act provides criminal penalties for any person who knowingly and willfully requests or obtains any information concerning an individual under false pretenses.
§ 326.17 Exemptions.
(a) All systems of records maintained by the NRO shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.
(b) No system of records within the NRO shall be considered exempt under subsection (j) or (k) of the Privacy Act until the exemption and the exemption rule for the system of records has been published as a final rule in the Federal Register .
(c) An individual is not entitled to have access to any information compiled in reasonable anticipation of a civil action or proceeding (5 U.S.C. 552a(d)(5)).
(d) Proposals to exempt a system of records will be forwarded to the Defense Privacy Office, consistent with the requirements of 32 CFR part 310, for review and action.
Dated: April 11, 2000.
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 00-9417 Filed 4-14-00; 8:45 am]
BILLING CODE 5001-10-F