Advanced Criminal Investigations and Intelligence Operations
Page 54
396
Appendix D: Consumer and Credit Data Privacy Laws
(vi) matches performed for foreign counterintelligence pur-
poses or to produce background checks for security
clearances of Federal personnel or Federal contractor
personnel;
(vii) matches performed incident to a levy described in sec-
tion 6103(k)(8) of the Internal Revenue Code of 1986; or
(vi i) matches performed pursuant to section 202(x)(3) or
1611(e)(1) of the Social Security Act (42 U.S.C. § 402(x)(3),
§ 1382(e)(1));
(9) the term “recipient agency” means any agency, or contractor
thereof, receiving records contained in a system of records from
a source agency for use in a matching program;
(10) the term “non-Federal agency” means any State or local govern-
ment, or agency thereof, which receives records contained in a
system of records from a source agency for use in a matching
program;
(11) the term “source agency” means any agency which discloses
records contained in a system of records to be used in a match-
ing program, or any State or local government, or agency thereof,
which discloses records to be used in a matching program;
(12) the term “Federal benefit program” means any program admin-
istered or funded by the Federal Government, or by any agent
or State on behalf of the Federal Government, providing cash or
in-kind assistance in the form of payments, grants, loans, or loan
guarantees to individuals; and
(13) the term “Federal personnel” means officers and employees of
the Government of the United States, members of the uniformed
services (including members of the Reserve Components),
individuals entitled to receive immediate or deferred retirement
benefits under any retirement program of the Government of the
United States (including survivor benefits).
(b) Conditions of disclosure. No agency shall disclose any record
which is contained in a system of records by any means of com-
munication to any person, or to another agency, except pursuant
to a written request by, or with the prior written consent of, the
individual to whom the record pertains, unless disclosure of the
record would be—
(1) to those officers and employees of the agency which maintains
the record who have a need for the record in the performance of
their duties;
(2) required under section 552 of this title;
(3) for a routine use as defined in subsection (a)(7) of this section
and described under subsection (e)(4)(D) of this section;
Appendix D: Consumer and Credit Data Privacy Laws
397
(4) to the Bureau of the Census for purposes of planning or carrying
out a census or survey or related activity pursuant to the provisions
of Title 13;
(5) to a recipient who has provided the agency with advance adequate
written assurance that the record will be used solely as a statisti-
cal research or reporting record, and the record is to be trans-
ferred in a form that is not individually identifiable;
(6) to the National Archives and Records Administration as a record
which has sufficient historical or other value to warrant its
continued preservation by the United States Government, or
for evaluation by the Archivist of the United States or the des-
ignee of the Archivist to determine whether the record has
such value;
(7) to another agency or to an instrumentality of any governmental
jurisdiction within or under the control of the United States for a
civil or criminal law enforcement activity if the activity is autho-
rized by law, and if the head of the agency or instrumentality has
made a written request to the agency which maintains the record
specifying the particular portion desired and the law enforce-
ment activity for which the record is sought;
(8) to a person pursuant to a showing of compelling circumstances
affecting the health or safety of an individual if upon such dis-
closure notification is transmitted to the last known address of
such individual;
(9) to either House of Congress, or, to the extent of matter within
its jurisdiction, any committee or subcommittee thereof, any
joint committee of Congress or subcommittee of any such joint
committee;
(10) to the Comptroller General, or any of his authorized represen-
tatives, in the course of the performance of the duties of the
General Accounting Office;
(11) pursuant to the order of a court of competent jurisdiction; or
(12) to a consumer reporting agency in accordance with section
3711(e) of Title 31.
(c) Accounting of Certain Disclosures. Each agency, with respect to
each system of records under its control, shall—
(1) except for disclosures made under subsections (b)(1) or (b)(2) of
this section, keep an accurate accounting of—
(A) the date, nature, and purpose of each disclosure of a record
to any person or to another agency made under subsection
(b) of this section; and
(B) the name and address of the person or agency to whom the
disclosure is made;
398
Appendix D: Consumer and Credit Data Privacy Laws
(2) retain the accounting made under paragraph (1) of this subsec-
tion for at least five years or the life of the record, whichever is
longer, after the disclosure for which the accounting is made;
(3) except for disclosures made under subsection (b)(7) of this sec-
tion, make the accounting made under paragraph (1) of this
subsection available to the individual named in the record at his
request; and
(4) inform any person or other agency about any correction or nota-
tion of dispute made by the agency in accordance with subsection
(d) of this section of any record that has been disclosed to the
person or agency if an accounting of the disclosure was made.
(d) Access to records. Each agency that maintains a system of records
shall—
(1) upon request by any individual to gain access to his record or
to any information pertaining to him which is contained in the
system, permit him and upon his request, a person of his own
choosing to accompany him, to review the record and have a
copy made of all or any portion thereof in a form comprehen-
sible to him, except that the agency may require the individual to
furnish a written statement authorizing discussion of that indi-
vidual’s record in the accompanying person’s presence;
(2) permit the individual to request amendment of a record pertain-
ing to him and—
(A) not later than 10 days (excluding Saturdays, Sundays, and
legal public holidays) after the date of receipt of such request,
acknowledge in writing such receipt; and
(B) promptly, either—
(i) make any correction of any portion thereof which the
individual believes is not accurate, relevant, timely, or
complete; or
(ii) inform the individual of its refusal to amend the record
in accor
dance with his request, the reason for the
refusal, the procedures established by the agency for
the individual to request a review of that refusal by the
head of the agency or an officer designated by the head
of the agency, and the name and business address of
that official;
(3) permit the individual who disagrees with the refusal of the
agency to amend his record to request a review of such refusal,
and not later than 30 days (excluding Saturdays, Sundays, and
legal public holidays) from the date on which the individual
requests such review, complete such review and make a final
determination unless, for good cause shown, the head of the
Appendix D: Consumer and Credit Data Privacy Laws
399
agency extends such 30-day period; and if, after his review,
the reviewing official also refuses to amend the record in
accordance with the request, permit the individual to file
with the agency a concise statement setting forth the rea-
sons for his disagreement with the refusal of the agency, and
notify the individual of the provisions for judicial review of
the reviewing official’s determination under subsection (g)(1)
(A) of this section;
(4) in any disclosure, containing information about which the indi-
vidual has filed a statement of disagreement, occurring after
the filing of the statement under paragraph (3) of this subsec-
tion, clearly note any portion of the record which is disputed and
provide copies of the statement and, if the agency deems it
appropriate, copies of a concise statement of the reasons of the
agency for not making the amendments requested, to persons
or other agencies to whom the disputed record has been dis-
closed; and
(5) nothing in this section shall allow an individual access to any
information compiled in reasonable anticipation of a civil action
or proceeding.
(e) Agency requirements. Each agency that maintains a system of
records shall—
(1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency
required to be accomplished by statute or by Executive order of
the President;
(2) collect information to the greatest extent practicable directly
from the subject individual when the information may result
in adverse determinations about an individual’s rights, benefits,
and privileges under Federal programs;
(3) inform each individual whom it asks to supply information, on
the form which it uses to collect the information or on a separate
form that can be retained by the individual—
(A) the authority (whether granted by statute, or by Executive
order of the President) which authorizes the solicitation of
the information and whether disclosure of such information
is mandatory or voluntary;
(B) the principal purpose or purposes for which the information
is intended to be used;
(C) the routine uses which may be made of the information, as
published pursuant to paragraph (4)(D) of this subsection; and
(D) the effects on him, if any, of not providing all or any part of
the requested information;
400
Appendix D: Consumer and Credit Data Privacy Laws
(4) subject to the provisions of paragraph (11) of this subsection,
publish in the Federal Register upon establishment or revision
a notice of the existence and character of the system of records,
which notice shall include—
(A) the name and location of the system;
(B) the categories of individuals on whom records are maintained
in the system;
(C) the categories of records maintained in the system;
(D) each routine use of the records contained in the sys-
tem, including the categories of users and the purpose of
such use;
(E) the policies and practices of the agency regarding storage,
retrievability, access controls, retention, and disposal of the
records;
(F) the title and business address of the agency official who is
responsible for the system of records;
(G) the agency procedures whereby an individual can be noti-
fied at his request if the system of records contains a record
pertaining to him;
(H) the agency procedures whereby an individual can be notified
at his request how he can gain access to any record pertain-
ing to him contained in the system of records, and how he
can contest its content; and
(I) the categories of sources of records in the system;
(5) maintain all records which are used by the agency in making
any determination about any individual with such accuracy, rel-
evance, timeliness, and completeness as is reasonably necessary
to assure fairness to the individual in the determination;
(6) prior to disseminating any record about an individual to any
person other than an agency, unless the dissemination is made
pursuant to subsection (b)(2) of this section, make reasonable
efforts to assure that such records are accurate, complete, timely,
and relevant for agency purposes;
(7) maintain no record describing how any individual exercises
rights guaranteed by the First Amendment unless expressly
authorized by statute or by the individual about whom the record
is maintained or unless pertinent to and within the scope of an
authorized law enforcement activity;
(8) make reasonable efforts to serve notice on an individual when
any record on such individual is made available to any person
under compulsory legal process when such process becomes a
matter of public record;
Appendix D: Consumer and Credit Data Privacy Laws
401
(9) establish rules of conduct for persons involved in the design,
development, operation, or maintenance of any system of records,
or in maintaining any record, and instruct each such person with
respect to such rules and the requirements of this section, includ-
ing any other rules and procedures adopted pursuant to this sec-
tion and the penalties for noncompliance;
(10) establish appropriate administrative, technical and physical
safeguards to insure the security and confidentiality of records
and to protect against any anticipated threats or hazards to their
security or integrity which could result in substantial harm,
embarrassment, inconvenience, or unfairness to any individual
on whom information is maintained;
(11) at least 30 days prior to publication of information under
paragraph (4)(D) of this subsection, publish in the Federal
Register notice of any new use or intended use of the informa-
tion in the system, and provide an opportunity for interested
persons to submit written data, views, or arguments to the
agency; and
(12) if such agency is a recipient agency or a source agency in a
matching program with a non-Federal agency, with respect to
any establishment or revision of a matching program, at least 30
days prior to conducting such program, publ
ish in the Federal
Register notice of such establishment or revision.
(f) Agency rules. In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules, in
accordance with the requirements (including general notice) of sec-
tion 553 of this title, which shall—
(1) establish procedures whereby an individual can be notified in
response to his request if any system of records named by the
individual contains a record pertaining to him;
(2) define reasonable times, places, and requirements for identifying
an individual who requests his record or information pertaining
to him before the agency shall make the record or information
available to the individual;
(3) establish procedures for the disclosure to an individual upon his
request of his record or information pertaining to him, including
special procedure, if deemed necessary, for the disclosure to an
individual of medical records, including psychological records,
pertaining to him;
(4) establish procedures for reviewing a request from an individual
concerning the amendment of any record or information per-
taining to the individual, for making a determination on the
402
Appendix D: Consumer and Credit Data Privacy Laws
request, for an appeal within the agency of an initial adverse
agency determination, and for whatever additional means may
be necessary for each individual to be able to exercise fully his
rights under this section; and
(5) establish fees to be charged, if any, to any individual for mak-
ing copies of his record, excluding the cost of any search for and
review of the record.