Department of the Interior logo; link to DOI home page

 Link to home page Link to Welcome section Link to The Big Picture section Link to Learning the Ropes Section Link to Search This Site SectionOrientation to the U.S. Department of the Interior

 Privacy Act Policy 383 DM 6

Return to Employee Privacy Act Responsibilities
   

Effective Date: 10/10/84

Series: Administrative Services

Part 383: Privacy Act Policy

Chapter 6: Notification, Access and Amendment Procedures

Originating Office: Office of Information Resources Management

383 DM 6

6.1 Purpose. This chapter prescribes general procedures regarding an individual’s rights to know about, inspect and request amendment of records relating to him/her which are maintained in a system of records subject to t eh privacy Act. Unless records are exempted as explained below, the Act gives individuals the right to know of the existence of records containing information about themselves (notification); to inspect the records to ensure their relevance, necessity, and accuracy (access); and to request changes in the information in the records when the information is irrelevant, unnecessary, or inaccurate (amendment).

6.2 For of Request. To claim the rights afforded by the Privacy Act an individual should be advised of, and must follow the formal procedures established by the Department’s regulations. 43 CFR 2.60 (notification), 2.63 (access), and 2.71 (amendment) and the "Records Access Procedure" section of the notices describing systems of records instruct individuals how to submit their inquiries if they wish to invoke the Privacy Act. The system notices also instruct individuals as to where their written requests are to be addressed. See 383 DM 6.11 for guidance on handling combined FOIA and Privacy Act requests received from individuals for access to their records.

6.3 Informal Requests. Requests for notification, access, or amendment that do not conform to the requirements of the Departmental regulations, such as an oral request, may be honored by the bureau of office responsible for the system of records a matter of administrative discretion. It is not necessary to require individuals to invoke the Privacy Act.

6.4 Exempted Records. The Privacy Act recognizes that some records on individuals should not be made available to the individuals. These exemptions from the notification and access provisions of the Act primarily involve records gathered in the course of criminal investigations, during the recruitment of new employees, or involving tests which could be compromised if shown to individuals. These exemptions apply only if adopted through rulemaking by the Secretary. The systems of records which have been exempted in whole or part from notification access and amendment are listed in 43 CFR 2.79. In addition, records on individuals compiled in reasonable anticipation of a civil action or proceeding are not required to be made available to the individual.

Responding to Requests Involving Exempted Systems. The fact that a system of records has been exempted under some provisions of the Act does not mean that systems managers may not inform individuals that records on the individual exist or make the records available to the individual for inspection. Such decisions, however, cannot be capricious or arbitrary. Systems managers should develop, through experience, criteria that will permit, to the greatest extent practical, access by individuals to their records which are included in an exempted system of records.

Criteria for Denying Notification or Access Under an Exemption. Systems managers responsible for exempted systems of records shall be prepared to report on any criteria which has been developed as guidelines in denying a notification of access request, though these criteria need not be expressed in the denial to individuals. The exemption status is not to be viewed as an automatic command to deny but should be applied according to statable criteria.

Statutory Exemption. In addition to the provisions authorizing the Secretary to exempt records through rulemaking, the Act does contain one statutory exemption. This exemption provides that the Act does not allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

6.5 Notification, Access and Amendment Guidelines. Guidelines suitable to the system of records shall be developed which instruct employees and contractors administering and maintaining the system on handling notification, access and amendment requests. These guidelines shall clearly state the rights of the named individuals to know about, see and request amendment except when the system of records has been exempted under the rulemaking provisions of the Act. The guidelines shall also clearly inform employees about handling situations that could lead to denying any request made by individuals with respect to their records.

6.6 Amendment of Records.

Changing the Records. When a record is changed in response to a request for amendment, the prior information shall be completely expunged from the file unless there is good reason to retain the prior information and retention is not inconsistent with the request for amendment. Such retention may be appropriate when the amendment updates a file rather than removes objectionable material and the prior information meets the requirements of the Act that information be correct, relevant and necessary.

Disclosure Notifications. The Privacy Act requires that all persons or agencies to whom incorrect or disputed data was disclosed, and for whom a disclosure accounting was made, be notified of the correct data or that it is in dispute. This notification requirement applies whether the change is made under the Privacy Act amendment provisions or in response to an informal request for amendment.

Filing Amendment Requests. Records accumulated in the course of an individual’s exercise of rights under the Privacy Act and information on this exercise of rights shall be retained, unless disposed of, in a way that will not taint the amended records or work against the interests of the individual.

6.7 Time Limits. The Privacy Act requires that requests for amendment be responded to or acknowledged within ten (10) working days of the request. The Department’s regulations specify that the request shall be acted on within 30 working days, unless extended 30 days by the system manager in accordance with the regulations (43 CFR 2.73). To the extent possible, the 10-day acknowledgment and 30-day action time limits should also be observed for inquiries about the existence of records or requests to inspect the records.

6.8 Authority to Deny. The Departmental regulations, 43 CFR 2.61(b), 2.64(b) and 2.72(b), require that denials shall be made by the system manager responsible for the system of records.

A. In the bureaus, the denial shall be concurred in by the Bureau Privacy Act Officer. However, the head of the bureau may, in writing, require that the decision be made by the Bureau Privacy Act Officer and/or that concurrence of the bureau head in the decision be obtained. Each bureau and system manager shall ensure that employees handling records covered by the Privacy Act are aware of this limitation.

B In th Office of the Secretary and other Departmental offices not a part of a bureau, denials of access or amendment requests shall be made by the pertinent system manager, with the concurrence of the head of the office, or the office’s Privacy Act Officer/Coordinator if formally designated and authorized as prescribes in 43 CFR 2.61(b), 2.64(b), and 2.72(b).

6.9 General Guidelines Procedures. Appendix 1 to this chapter contains a set of general guidelines dealing with access situations for employees working with a system of records. These optional guidelines are to be supplemented with guidelines specific to each system of records, as discussed in 383 DM 4.4D.

6.10 Recordkeeping Requirements. System managers are responsible for maintaining records on formal access and amendment requests received during each calendar year. Formal requests are defined as written requests in which the individual cites or invokes the provisions of the Privacy Act. Data on the number of formal access or amendment requests received, number wholly or partially granted, number totally denied, and the number for which no records were found must be maintained for each system of records. The data is required to be included in the bureau’s annual report on the implementation of the Privacy Act as described in 383 Dm 10.

6.11 Combined FOIA/Privacy Act Requests. From time to time, individuals may seek access to their records by citing both the FOIA and the Privacy Act. In such cases, the request must be handled so that the individuals are granted the greatest access to their records that either Act provides. The Department should, in applying any access restrictions, rely on the weakest exemption available, generally a FOIA exemption. If a written request form an individual for access to his/her records cites neither the FOIA nor the Privacy Act, and it is administratively decided to treat the request under either Act, then the request should be handled as a formal combined FOIA/Privacy Act request.

A. In processing such combined requests, the Department’s fee provisions applicable to Privacy Act requests (43 CFR 2.64(d)) should be followed (i.e., the individual may only be charged for reproduction of the records and not for search time) to the extent that the requested records are part of a system of records.

B. the time limits applicable to FOIA requests (43 CFR 2.16) should be followed in processing such dual requests.


Return to Employee Privacy Act Responsibilities

Divider

Content provided by:
Marilyn Legnini
DOI Privacy Act Officer
MS-5312, MIB
1849 C Street, N.W.
Washington, DC 20240
Phone: (202) 219-0868
Fax: (202) 501-2360

Link to Privacy Statement Link to Disclaimer Link to Acceptable Use Policy Link to Photographics Credits Link to FeedbackLinks to feedback, credits, acceptable use, disclaimer, and privacy