(a) Notices of systems of records to be published in the Federal Register. (1) The Office of the Federal Register publishes a biennial compilation of all system notices (“Privacy Act Issuances”), as specified in 5 U.S.C. 552a(f). In the interim (between biennial compilations), the Department must list and provide links on its website to complete, up-to-date versions of all Treasury system of records notices (SORNs), including citations and links to all Federal Register notices that reflect substantial modifications to each SORN.

(2) In addition, the Department must publish in the Federal Register upon establishment or significant revision a notice of the existence and character of any new or significantly revised systems of records. Unless otherwise instructed, each notice must include:

(i) The system name and number, and location of the system;

(ii) The title and business address of the Treasury official who is responsible for the system of records;

(iii) Security classification, and indication of whether any information in the system is classified;

(iv) Authority for maintenance of the system, the specific authority that authorizes the maintenance of the records in the system;

(v) Purpose(s) of the system, a description of the purpose(s) for maintaining the system;

(vi) The categories of individuals on whom records are maintained in the system;

(vii) The categories of records maintained in the system;

(viii) The categories of sources of records in the system (see 5 U.S.C. 552a(e)(4));

(ix) Each routine uses of the records contained in the system, including the categories of users and the purpose of such use;

(x)-(xix) [Reserved]

(xx) The policies and practices of the component regarding storage, retrievability, access controls, retention, and disposal of the records;

(xxi) The procedures of the component whereby an individual can be notified if the system of records contains a record pertaining to the individual, including reasonable times, places, and identification requirements;

(xxii) The procedures of the component whereby an individual can be notified on how to gain access to any record pertaining to such individual that may be contained in the system of records, and how to contest its content;

(xxiii) Exemptions promulgated for the system; and

(xxiv) History (any previously published notices).

(b) Notice of new or modified routine uses to be published in the Federal Register. At least 30 days prior to a new use or modification of a routine use, as published under paragraph (a)(3)(iv) of this section, Treasury must publish in the Federal Register notice of such new or modified use of the information in the system and allow for interested persons to submit written data, views, or arguments to the components. (See 5 U.S.C. 552a(e)(11).)

(c) Promulgation of rules exempting systems from certain requirements—(1) General exemptions. In accordance with existing procedures applicable to a Treasury component's issuance of regulations, the head of each such component may adopt rules, in accordance with the requirements (including general notice) of 5 U.S.C. 553(b)(1), (2), and (3), (c) and (e), to exempt any system of records within the component from any part of the Privacy Act and the regulations in this subpart except subsections (b) (§ 1.24, conditions of disclosure), (c)(1) (§ 1.25, keep accurate accounting of disclosures), (c)(2) (§ 1.25, retain accounting for five years or life of record), (e)(4)(A) through (F) (paragraph (a) of this section, publication of annual notice of systems of records), (e)(6) (§ 1.22(d), accuracy of records prior to dissemination), (e)(7) (§ 1.22(e), maintenance of records on First Amendment rights), (e)(9) (§ 1.28, establish rules of conduct), (e)(10) (§ 1.22(d)(3), establish safeguards for records), (e)(11) (paragraph (c) of this section, publish new intended use), and (i) (§ 1.28(c), criminal penalties) if the systems of records maintained by the component which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of:

(i) Information compiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole, and probation status;

(ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or

(iii) Reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. (See 5 U.S.C. 552a(j).)

(2) Specific exemptions. In accordance with existing procedures applicable to a Treasury component's issuance of regulations, the head of each such component may adopt rules, in accordance with the requirements (including general notice) of 5 U.S.C. 553(b)(1), (2), and (3), (c), and (e), to exempt any system of records within the component from 5 U.S.C. 552a(c)(3) (§ 1.25(c)(2), accounting of certain disclosures available to the individual), (d) (§ 1.26(a), access to records), (e)(1) (§ 1.22(a)(1), maintenance of information to accomplish purposes authorized by statute or executive order only), (e)(4)(G) (paragraph (a)(7) of this section, publication of procedures for notification), (e)(4)(H) (paragraph (a)(8) of this section, publication of procedures for access and contest), (e)(4)(I) (paragraph (a)(9) of this section, publication of sources of records), and (f) (§ 1.26, promulgate rules for notification, access and contest), if the system of records is:

(i) Subject to the provisions of 5 U.S.C. 552(b)(1);

(ii) Investigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of the Privacy Act and paragraph (a)(1) of this section. If any individual is denied any right, privilege, or benefit that such individual would otherwise be entitled to by Federal law, or for which such individual would otherwise be eligible, as a result of the maintenance of this material, provide such material to the individual, except to the extent that the disclosure of the material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence;

(iii) Maintained in connection with providing protective services to the President of the United States or other individuals pursuant to 18 U.S.C. 3056;

(iv) Required by statute to be maintained and used solely as statistical records;

(v) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence;

(vi) Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process; or

(vii) Evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence.

(3) Reasons for exemptions. As of November 21, 2022, the head of the component must include in the statement required under 5 U.S.C. 553(c) the reasons why the system of records is to be exempted from a provision of the Privacy Act and this part. (See 5 U.S.C. 552a(j) and (k).)

(d) Review and report to the Office of Management and Budget (OMB). The Department must ensure that the following reviews are conducted:

(1) The Data Integrity Board must conduct a review of all matching programs in which the Department has participated during the calendar year and report to OMB of the following year.

(2) Each component must perform the following reviews with a frequency sufficient to ensure compliance and manage risks:

(i) Review the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information and ensure that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees consistent with the agency's authority;

(ii) Ensure that all routine uses remain appropriate and that the recipient's use of the records continues to be compatible with the purpose for which the information was collected;

(iii) Ensure that each exemption claimed for a system of records pursuant to 5 U.S.C. 552a(j) and (k) remains appropriate and necessary;

(iv) Ensure Departmental and component training practices are sufficient and that personnel understand the requirements of the Privacy Act, OMB guidance, the agency's implementing regulations and policies, and any job-specific requirements;

(v) Review all component SORNs as needed to ensure they remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress; and

(vi) Be prepared to report to the Office of Privacy, Transparency, & Records, as part of the annual Federal Information Security Management Act (FISMA), as amended by the Federal Information Security Modernization Act of 2014, Public Law 113-283, reporting process, the results of the reviews conducted as required by this section, including any corrective action taken to resolve problems uncovered.