Privacy Act of 1974 (EEOC Order)

__________/s/__________
Thomasina v. Rogers
Legal Counsel

GENERAL MANAGEMENT
Privacy Act of 1974, as amended

1. SUBJECT. Privacy Act of 1974, as amended, 5 U.S.C. § 552a
2. PURPOSE. This order sets forth the requirements of the
   Privacy Act of 1974, as amended, 5 U.S.C. § 552a, and
   establishes the responsibilities of Commission officials for
   carrying out that law. The order also contains the
   Commission's regulatory procedures for responding to Privacy
   Act requests for disclosure or amendment of a record
   (Appendix A) and the Commission's Notice of its Privacy Act
   Systems of Records that identifies the Commission records
   covered by the Act (Appendix B).
3. EFFECTIVE DATE. November 21, 1991.
4. ORIGINATOR. Legal Services, Office of Legal Counsel.
5. COVERAGE AND REMEDIES PROVIDED BY THE PRIVACY ACT. The
   Privacy Act of 1974, as amended, 5 U.S.C. § 552a, is
   intended to ensure that personal information about
   individuals collected by Federal agencies is limited to that
   which is legally authorized and necessary and is maintained
   in a manner that precludes unwarranted invasion of
   individual privacy. The Act, therefore, prohibits the
   disclosure of any record contained in a system of records by
   any means of communication to any person, or to another
   agency, except pursuant to a written request by, or with the
   prior written consent of the individual to whom the record
   pertains, or under certain limited conditions as indicated
   in paragraph 8 of this Order. 5 U.S.C. § 552a(b). Coverage
   is limited, however, to systems of records (groupings of
   personal data about identifiable individuals) from which
   information is retrieved by reference to the individual's
   name, or some other personal identifier (i.e., fingerprint,
   employee code, social security number). Agencies that
   maintain such systems of records on individuals are required
   to identify their systems, and to comply with the
   requirements of the Act as to those systems of records only.
   5 U.S.C. § 552a(e).
   1. Procedures. The Commission has promulgated
      regulations, 29 C.F.R. Part 1611 (contained in Appendix
      A to this Order), in accordance with the Act [5 U.S.C.
      § 552a(c), (d) and (f)] that permit individuals to:
      • (1) ascertain whether a system of records contains
        information on them;
      • request access to this information;
      • be informed who, if anyone, has been provided with
        information on them from a system of records;
      • challenge the accuracy of the maintained
        information;
      • request that inaccurate information be amended;
      • appeal denials of requests for access to or
        amendment of maintained information;
      • submit, for inclusion in the record, a statement
        as to their version of the alleged inaccurate
        information if the appeal for amendment of a
        record is denied; and
      • require that any statement of their version of the
        alleged accurate information be transmitted to any
        person who has received the information in its
        inaccurate, or allegedly inaccurate, form.
   2. Systems of Records. The Commission's notice of its
      Systems of Records to which the Privacy Act applies has
      been published in the Federal Register and forms
      Appendix B to this Order.
   3. Civil Action. An individual may bring a civil action
      against an agency, and the district courts of the
      United States have jurisdiction, whenever an agency:
      • (1) makes a determination not to amend an individual's
        record in accordance with his request, or fails to
        make such review in conformity with this
        subsection;
      • refuses to comply with an individual request for
        access;
      • fails to maintain any record concerning any
        individual with such accuracy, relevance,
        timeliness, and completeness as is necessary to
        assure fairness in any determination relating to
        qualifications, character, rights, or
        opportunities of, or benefits to the individual
        that may be made on the basis of such record, and
        consequently a determination is made that is
        adverse to the tndividual; or
      • fails to comply with any other provision of the
        Privacy Act or any rule promulgated thereunder, in
        such a way as to have an adverse effect on an
        individual. 5 U.S.C. § 552a(g)(l)
   4. Criminal Liability. Section i of the Act provides:
      • Any officer or employee of an agency, who by
        virtue of his employment or official position, has
        possession of or access to agency records that
        contain individually identifiable information the
        disclosure of which is prohibited by the Privacy
        Act or by rules or regulations established
        thereunder, and who, knowing that disclosure of
        the specific material is so prohibited, willfully
        discloses the material in any manner to any person
        or agency not entitled to receive it, shall be
        guilty of a misdemeanor and fined not more than
        $5,000.
      • Any officer or employee of any agency who
        willfully maintains a system of records without
        publishing a notice of the existence and character
        of that system of records as required by the Act
        shall be guilty of a misdemeanor and fined not
        more than $5,000.
      • Any person who knowingly and willfully requests or
        obtains any record concerning an individual from
        an agency under false pretenses shall be guilty of
        a misdemeanor and fined not more than $5,000. 5
        U.S.C. § 552a(i).
6. DEFINITIONS.
   1. Accounting. A record of disclosures made from Privacy
      Act systems of records. The record is to contain the
      date, nature, and purpose of each disclosure, and the
      name and address of the person or entity to whom
      disclosure was made.
   2. Determination. Any decision affecting the individual
      that is in whole or in part based on information
      contained in a Privacy Act record and is made by any
      person or any agency.
   3. Individual. A citizen of the United States or an alien
      lawfully admitted for permanent residence.
   4. Maintain. To keep in existence or to retain, to
      collect, use or disseminate.
   5. Privacy Act Statement. A statement that must be given
      to an individual from whom information is solicited for
      inclusion in a Privacy Act system of records. The
      statement need only be given when the solicited
      information is to be maintained in a system of records.
      
      The statement must include (1) the authority for
      solicitation of the information and whether providing
      the information is mandatory or voluntary; (2) the
      principal purpose(s) for which the information is
      intended to be used; (3) the routine uses that may be
      made of the information; and (4) the effects on the
      individual, if any, of not providing all or any part of
      the requested information.
   6. Privacy Act System Notice. A statement, published in
      the Federal Register, notifying the public of, among
      other things, the existence of a Privacy Act system of
      records. The notice must contain the information
      indicated in paragraph 13 of this Order.
   7. Record. Any item, collection or grouping of
      information about an individual that is maintained by
      an agency including, but not limited to, his or her
      education, financial transactions, medical, criminal
      and employment histories and that contains his or her
      name or some other personal identifier (e.g., social
      security number, employee code, finger or voice print
      or a photograph).
   8. Routine Use. A purpose for maintaining a record that
      permits certain disclosures of the record, as indicated
      in the Privacy Act System Notice (Appendix B), without
      the consent of the subject of the record.
   9. Statistical Record. A record in a system of records
      maintained for statistical research or reporting
      purposes only and not used in whole or in part in
      making any determination about an individual.
   10. System Manager. An agency official who, by virtue of
       his or her duties, has custody and control of one or
       more Privacy Act system(s) of records. Commission
       officials become Privacy Act systems managers only by
       their designation as such in the Privacy Act System
       Notice published in the Federal Register. The System
       Manager is directly responsible for compliance with the
       provisions of the Privacy Act, the Commission's Privacy
       Act Regulations (29 C.F.R. Part 1611) and this Order
       with respect to the system(s) for which he or she is
       the manager. For example, District Directors are the
       managers for the Commission's discrimination case files
       systems, but they are only managers of the case file
       systems located in their office. See Appendix B.
   11. System of Records. A group of records (as defined
       above) under the control of an agency from which
       information is retrieved by the name of the individual
       or some other personal identifier (e.g., social
       security number, employee code). See Appendix B for
       the Commission's Systems of Records.
7. RESPONSIBILITIES
   1. The Commission shall ensure proper administration of
      the Act within the EEOC.
   2. The Legal Counsel shall:
      • recommend to the Commission agency procedures and
        policies for proper administration of the Act;
        assist System Managers in determining whether any
        grouping of information on individuals constitutes
        a "system of records";
      • review and determine within 30 working days
        appeals brought under the Act;
      • prepare for publication in the Federal Register
        all required Privacy Act regulations, notices and
        other information;
      • specify the data required for and prepare all the
        Commission's Privacy Act reports required to be
        submitted to the Office of Management and Budget,
        the President, the Congress or any other entity
        with oversight responsibility for implementation
        of the Act; and
      • provide assistance and advice to Commission
        off ices and officials regarding compliance with
        the requirements of the Act.
   3. System Managers are directly responsible for the day-to-
      day administration of the Privacy Act with respect
      to the systems of which they are designated as the
      manager. They shall:
      • ensure that only such information about an
        individual as is relevant and necessary to
        accomplish an authorized objective of the
        Commission is maintained in nonexempt systems of
        records;
      • ensure that, to the greatest extent practicable,
        information that may result in adverse
        determinations about an individual's rights,
        benefits and privileges under federal programs is
        collected from the subject individual;
      • ensure that Privacy Act statements are provided,
        as required, to each individual who is asked to
        provide information on himself or herself, when
        that information is to be maintained in a system
        of records;
      • ensure that all records used by the Commission in
        making any determination about any individual are
        maintained with such accuracy, relevance,
        timeliness, and completeness as is reasonably
        necessary to assure fairness to the individual in
        the determination;
      • determine whether the records sought are exempted
        from the provisions of the Act when an individual
        requests access to records in a system;
      • ensure that, prior to disseminating any record
        about an individual to any person other than
        another Federal Agency (unless the dissemination
        is made pursuant to the Freedom of Information
        Act), reasonable efforts are made to ensure that
        such records are accμrate, complete, timely and
        relevant for Commission purposes;
      • ensure that no records are maintained that
        describe how any individual exercises rights
        guaranteed by the First Amendment, unless
        expressly authorized by the individual, or statute
        or unless pertinent to and within the scope of an
        authorized law enforcement activity;
      • make reasonable efforts to serve notice on an
        individual when any record on such individual is
        made available to any person under compulsory
        legal process when such legal process becomes a
        matter of public record;
      • establish appropriate administrative, technical,
        and physical safeguards to ensure the security and
        confidentiality of records and to protect against
        any anticipated threats or hazards to their
        security or integrity that could result in
        substantial harm, embarrassment, inconvenience, or
        unfairness to any individual on whom information
        is maintained;
      • process requests for notification as to whether
        the Commission maintains a record about the
        requester and requests for access to such record;
        ensure that an accounting of disclosures from
        nonexempt systems of records is maintained for
        five years or the life of the record, whichever is
        longer, except that an accounting need not be made
        of intra-agency disclosures and disclosures made
        pursuant to the Freedom of Information Act;
      • (12) make available an accounting of disclosures made
        of a record about the requester from a nonexempt
        system of records upon request;
      • (13) process requests for amendment or correction of a
        record in a nonexempt system of records;
      • (14) notify the Legal Counsel regarding a proposal to
        change a system of records;
      • (15) consult with the Office of Legal Counsel (Legal
        Services) regarding the implementation of the Act;
      • (16) ensure that disclosures from systems of records
        are made only in a manner consistent with this
        Order;
      • (17) ensure compliance with the Commission's Privacy
        Act regulations, 29 C.F.R. Part 1611, for the
        system(s) of records of which he or she is the
        manager; and
      • (18) ensure that disclosures of information from
        Privacy Act systems of records are made only under
        the conditions specified for disclosure, including
        ascertaining proper identification of the
        requester, prior to release, in accordance with 29
        C.F.R. § 1611.4 (see paragraph 8 below).
   4. Office Heads (Hdqs.) and District Directors shall:
      
      • (l) notify in writing and consult with the Office of
        Legal Counsel (Legal Services) regarding any
        Privacy Act requirements at least 90 days prior to
        the date on which they propose to establish a
        Privacy Act System of Records. Said notification
        shall include the information that is required to
        be published in a Privacy Act System Notice (see
        Appendix B); and
      • (2) ensure that their employees are informed of the
        provisions of this order.
8. CONDITIONS PERMITTING DISCLOSURE. Disclosure from Privacy
   Act Systems of Records wiil be made only when it is:
   1. pursuant to a written request by, or with the prior
      written consent of, the individual to whom the record
      pertains;
   2. to those officers and employees of the Commission who
      have a need for the record in the performance of their duties;
   3. required by the Freedom of Information Act;
   4. for a routine use for the system of records involved as
      published in the Federal Register (see Appendix B);
   5. to the Bureau of the Census for purposes of planning or
      survey or related activity pursuant to the provisions
      of Title 13 of the United States Code;
   6. to a recipient who has provided the agency with advance
      adequate written assurance that the record will be used
      solely as a statistical research or reporting record,
      and the record is to be transferred in a form that is
      not individually identifiable;
   7. to the National Archives and Records Administration as
      a record that has sufficient historical or other value
      to warrant its continued preservation by the United
      States Government, ot for evaluation by the Archivist
      of the United States or designee to determine whether
      the record has such value;
   8. to another agency or to an instrumentality of any
      governmental jurisdiction within or under the control :.
      of the United States for a civil or criminal law
      enforcement activity if the activity is authorized by
      law, and if the head of the agency or instrumentality
      has made a written request to the Commission specifying
      the particular portion desired and the law enforcement
      activity for which the record is sought;
   9. to a person pursuant to a showing of compelling
      circumstances affecting the health or safety of an
      individual, if upon such disclosure notification is
      transmitted to the last known address of such
      individual;
   10. to either House of Congress, or to the extent the
       matter is within its jurisdiction, any committee or
       subcommittee thereof, any joint committee of Congress
       or subcommittee of any such joint committee;
   11. o the Comptroller General, or any of his authorized
       representatives, in the course of the performance of
       the duties of the General Accounting Office;
   12. pursuant to the order of a court of competent
       jurisdiction; or
   13. to a consumer reporting agency in accordance with
       section 3(d) of the Federal Claims Collection Act of
       1966, 31 U.S.C. § 37ll(f).
9. PROCEDURES FOR PRIVACY ACT REQUESTS AND APPEALS. Requests
   from individuals regarding whether the Commission maintains
   a record about such individuals, access to such records, and
   correction or amendment of such records and appeals of such
   requests, when denied, shall be processed in accordance with
   the Commission's Privacy Act Regulations, 29 C.F.R. Part
   1611 (Appendix A) and Notice of Privacy Act Systems of
   Records (Appendix B). The regulations and notice explicitly
   describe the manner in which System Managers shall process
   Privacy Act requests; they describe the role of the Legal
   Counsel in responding to appeals of denied requests.
   Therefore, the regulations contained in Appendix A and
   notice in Appendix B to this Order should be consulted for
   the procedures on Privacy Act requests and appeals.
   1. Combined Privacy Act and Freedom of Information Act
      Requests. If an individual seeks access to records
      under both the Privacy Act and Freedom of Information
      Act, the System Manager should consult with the
      Regional Attorney or Office of Legal Counsel, Legal
      Services, before granting or denying such a request.
   2. Charging Fees. No fee shall be charged for searches
      necessary to locate records. Fees shall be charged for
      copies made by photocopy device or otherwise as
      prescribed in the Commission's Privacy Act regulations,
      29 C.F.R. Part 1611 (see Appendix A).
10. ESTABLISHING A NEW SYSTEM OF RECORDS.
    1. The Chairman, Commissioners, Office Heads (at Hdqs.),
       or District Directors may propose the establishment of
       a new system of records.
    2. The proposing official shall assess the need for and
       relevance of the information to be contained in the
       proposed new system and shall consult with the Office
       of Legal Counsel in order to determine the legality of
       the proposed system. At least 90 days prior to the
       date on which the proposing official plans to collect
       information for inclusion in the new system, the
       proposing official shall provide the Office of Legal
       Counsel with the proposing official's assessments noted
       above and a draft new system notice containing the
       information set forth at paragraph 13. The Office of
       Legal Counsel will prepare the final system notice. No
       new system may be utilized or information collected
       thereunder before the preconditions set forth below in
       lOc, d, e, and f are met.
    3. Upon approval of the system by the Commission, advance
       notice of a new system of records shall be issued by
       the Chairman to the Committee on Government Operations
       of the House of Representatives, the Committee on
       Governmental Affairs of the Senate, and the Office of
       Management and Budget at least 60 days before: (1) the
       issuance of data collection forms and/or instructions;
       (2) any public issuance of a Request for Proposal or an
       Invitation to Bid for computer or communications
       systems or services intended to support the system of
       records; or (3) entering any personal information into
       the new or altered system. The report shall contain:
       • a transmittal letter including the name and
         address of the EEOC official to whom inquiries and
         comments may be addressed;
       • an advanced copy of the new or revised system
         notice that the agency proposes to publish for the
         new or altered system(s);
       • an advance copy of any new rules or changes to
         published rules that the agency proposes for the
         new or altered system; and
       • an advance copy of any proposed rules setting
         forth the reasons why the system is to be exempted
         from any specific provision if the agency head
         plans to invoke any exemptions for the new or
         altered systems.
    4. The Office of Legal Counsel shall prepare the system
       notice for Commission approval and publication in the
       Federal Register for notice and comment in accordance
       with 5 U.S.C. § 552a(e)(ll).
    5. After the period of notice and comment, the Office of
       Legal Counsel shall cause the final system notice to be
       published in the Federal Register 30 days before the
       system becomes operational in accordance with 5 U.S.C.
       § 553.
    6. A Privacy Act Statement must be prepared by the System
       Manager and approved by the Office of Legal Counsel.
11. CHANGING A SYSTEM OF RECORDS. The Legal Counsel should be
    contacted ninety (90) days in advance of a proposed change
    in an existing system of records for guidance in preparing a
    new system notice. See paragraph 10 above. The following
    changes to an existing system of records require advance
    notice of the revision as set forth in paragraph lOc.
    1. To increase or change the number or types of
       individuals on whom information is maintained;
    2. To expand the types or categories of information
       maintained;
    3. To alter the manner in which the records are organized
       or the manner in which records are indexed or retrieved
       so as to change the nature or scope of those records;
    4. To alter the purposes for which the information is
       used;
    5. To change the equipment configuration (i.e., hardware
       and/or software) on which the system is operated so as
       to create the potential for either greater or easier
       access; or
    6. To add routine uses.
12. CANCELLING A SYSTEM OF RECORDS
    1. A System Manager shall consult with the Office of Legal
       Counsel to determine whether cancellation is
       appropriate.
    2. The Office of Legal Counsel shall prepare a notice of
       cancellation of a system of records for publication in
       the Federal Register.
    3. Such Notice shall contain:
       • an explanation of the background of the system;
         and
       • the reasons for cancellation
    4. Upon approval by the Commission, the cancellation
       notice shall be published in the Federal Register.
13. PREPARING PRIVACY ACT NOTICES.
    1. The Legal Counsel shall prepare a notice of the
       existence and character of systems of records and
       publish it in the Federal Register upon establishment
       or revision of a system. The notice shall contain:
       • the name of the system;
       • the location of the system;
       • the categories of individuals on whom records are
         maintained in the system;
       • the categories of records maintained in the
         system;
       • the routine uses of the records contained in the
         system, including the categories of users and the
         purpose of each use;
       • the agency's policies and practices regarding
         storage, retrievability, access controls,
         retention and disposal of the records;
       • the title and business address of the system
         manager;
       • the procedure for determining if the system of
         records contains a record pertaining to an
         individual;
       • the procedure for gaining access to a record in
         the system and contesting a record's contents;
       • (10) the categories of record sources.
14. PREPARING THE BIENNIAL REPORT
    1. System managers shall periodically review their systems
       of records so as to:
       • determine the relevancy of, and necessity for, the
         general categories of information maintained;
       • ensure that records are accurate, relevant, timely
         and complete;
       • consider the manner in which information has been
         used and what specific authorities permit such
         uses;
       • determine whether some of the information
         collected can be eliminated; and
       • consider whether all the information must be
         individually identifiable.
    2. Biennial Report Data. During February of each even
       numbered year, System Managers shall submit to the
       Off ice of Legal Counsel information on the following
       covering the previous two calendar years:
       • the total number of requests from individuals
         seeking access to and seeking to amend their
         records pursuant to the Act; the number granted in
         full or in part, and the number denied with the
         bases for denial; and the title of the system to
         which access or amendment was sought;
       • the number of requests for access and amendment
         that had to be returned because they contained
         insufficient information to identify the system;
         and
       • information as to problems and proposed revisions
         in their systems of records as well as EEOC's
         Privacy Act procedures indicated from that
         Manager's periodic review of his or system of
         records.
    3. The Privacy Act Biennial Report. The Legal Counsel
       shall prepare the report to be submitted to the Office
       of Management and Budget. The report will consist of:
       • a summary of compliance actions, problems
         experienced, and recommendations for changes in
         legislation, policies, or procedures;
       • a summary of accomplishments or improvements
         including revised rules, systems of records, etc.;
       • a summary of plans for the upcoming two years as
         to such matters as reviews of routine uses,
         application of exemption provisions, revised
         systems of records, etc.;
       • a list of exempt and nonexempt systems; and
       • a summary of changes in agency procedures and
         current statistics including statistics on the
         number of individuals requesting access, the
         number who were refused, the number of appeals,
         and the number who sought judicial review.
15. LIST OF APPENDICES
    
    Appendix Title
    
    A. EEOC's Privacy Act Regulations 29 C.F.R. 1611
    
    B. EEOC's Notice of Privacy Act Systems of Records
16. OBSOLETE DATA. This Order supersedes EEOC Order No. 156,
    Privacy Act of 1964, dated October 21, 1983.