(a) This subpart implements the provisions of the Privacy Act of 1974, 5 U.S.C. 552a (the Privacy Act). The regulations apply to all records maintained by the CFPB and which are retrieved by an individual's name or personal identifier. The regulations set forth the procedures for requests for access to, or amendment of, records concerning individuals that are contained in systems of records maintained by the CFPB. These regulations should be read in conjunction with the Privacy Act, which provides additional information about this topic.

(b) For purposes of this subpart, the following definitions apply:

(1) The term Chief Privacy Officer means the Senior Agency Official for Privacy of the CFPB or any CFPB employee to whom the Senior Agency Official for Privacy has delegated authority to act under this part;

(2) The term guardian means the parent of a minor, or the legal guardian of any individual who has been declared to be incompetent due to physical or mental incapacity or age by a court of competent jurisdiction;

(3) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence;

(4) Maintain includes maintain, collect, use, or disseminate;

(5) Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voiceprint or a photograph;

(6) Routine use means the disclosure of a record that is compatible with the purpose for which it was collected;

(7) System of records means a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual; and

(8) Statistical record means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by 13 U.S.C. 8.

The Chief Privacy Officer is authorized to:

(a) Develop, implement, and maintain an organization-wide privacy program;

(b) Respond to requests for access to, accounting of, or amendment of records contained in a system of records maintained by the CFPB;

(c) Approve the publication of new systems of records and amend existing systems of record; and

(d) File any necessary reports related to the Privacy Act.

(a) Copies of records. The CFPB shall provide the requester with copies of records requested pursuant to § 1070.53 at the same cost charged for duplication of records under § 1070.22.

(b) No fee. The CFPB will not charge a fee if:

(1) Total charges associated with a request are less than $5; or

(2) The requester is a CFPB employee or former employee, or an applicant for employment with the CFPB, and the request pertains to that employee, former employee, or applicant.

(a) Procedures for making a request for access to records. An individual's requests for access to records that pertain to that individual (or to the individual for whom the requester serves as guardian) may be submitted to the CFPB in writing as follows:

(1) If submitted by mail or delivery service, the request shall be labeled “Privacy Act Request” and shall be addressed to the Chief Privacy Officer, Consumer Financial Protection Bureau, 1700 G Street NW, Washington, DC 20552.

(2) If submitted by electronic means, the request shall be labeled “Privacy Act Request” and the request shall be submitted as set forth at the CFPB's website, http://www.consumerfinance.gov.

(b) Content of a request for access to records. A request for access to records shall include:

(1) A statement that the request is made pursuant to the Privacy Act;

(2) The name of the system of records that the requester believes contains the record requested, or a description of the nature of the record sought in detail sufficient to enable CFPB personnel to locate the system of records containing the record with a reasonable amount of effort;

(3) Whenever possible, a description of the nature of the record sought, the date of the record or the period in which the requester believes that the record was created, and any other information that might assist the CFPB in identifying the record sought (e.g., maiden name, dates of employment, account information, etc.);

(4) Information necessary to verify the requester's identity pursuant to paragraph (c) of this section; and

(5) The mailing or email address where the CFPB's response or further correspondence should be sent.

(c) Verification of identity. To obtain access to the CFPB's records pertaining to a requester, the requester shall provide proof to the CFPB of the requester's identity as provided in paragraphs (c)(1) and (2) of this section.

(1) In general, the following will be considered adequate proof of a requester's identity:

(i) A photocopy of two forms of identification, including one form of identification that bears the requester's photograph, and one form of identification that bears the requester's signature;

(ii) A photocopy of a single form of identification that bears both the requester's photograph and signature;

(iii) A statement swearing or affirming the requester's identity and to the fact that the requester understands the penalties provided in 5 U.S.C. 552a(i)(3); or

(iv) Successful completion of a third-party's identity verification process, designated by the Bureau, where that process meets the requirements of Identity Assurance Level 2 (IAL2) as described by the National Institute of Standards and Technology.

(2) Notwithstanding paragraph (c)(1) of this section, a designated official may require additional proof of the requester's identity before action will be taken on any request, if such official determines that it is necessary to protect against unauthorized disclosure of information in a particular case. In addition, if a requester seeks records pertaining to an individual in the requester's capacity as that individual's guardian, the requester shall be required to provide adequate proof of the requester's legal relationship before action will be taken on any request.

(d) Request for accounting of previous disclosures. An individual may request an accounting of previous disclosures of records pertaining to that individual in a system of records as provided in 5 U.S.C. 552a(c). Such requests should conform to the procedures and form for requests for access to records set forth in paragraphs (a) and (b) of this section.

(a) Acknowledgment and response. The CFPB will provide written acknowledgement of the receipt of a request within twenty (20) business days from the receipt of the request and will, where practicable, respond to each request within that twenty (20) day period. When a full response is not practicable within the twenty (20) day period, the CFPB will respond as promptly as possible.

(b) Disclosure. (1) When the CFPB discloses information in response to a request, the CFPB will make the information available for inspection and copying during regular business hours as provided in § 1070.13, or the CFPB will mail it or email it to the requester, if feasible, upon request.

(2) The requester may bring with him or her anyone whom the requester chooses to see the requested material. All visitors to the CFPB's buildings must comply with the applicable security procedures.

(c) Denial of a request. If the CFPB denies a request made pursuant to § 1070.53, it will inform the requester in writing of the reason(s) for denial and the procedures for appealing the denial.

If an individual requests medical or psychological records pursuant to § 1070.53, the CFPB will disclose them directly to the requester unless the CFPB determines that such disclosure could have an adverse effect on the requester. If the CFPB makes that determination, the CFPB shall provide the information to a licensed physician or other appropriate representative that the requester designates, who shall disclose those records to the requester in a manner he or she deems appropriate.

(a) Procedures for making request. (1) If an individual wishes to amend a record that pertains to that individual in a system of records, that individual may submit a request in writing to the Chief Privacy Officer, as set forth in § 1070.53(a). The request shall be labeled “Privacy Act Amendment Request.”

(2) A request for amendment of a record must:

(i) Identify the name of the system of records that the requester believes contains the record for which the amendment is requested, or a description of the nature of the record in detail sufficient to enable CFPB personnel to locate the system of records containing the record with a reasonable amount of effort;

(ii) Specify the portion of that record requested to be amended; and

(iii) Describe the nature and reasons for each requested amendment.

(3) When making a request for amendment of a record, the CFPB will require a requester to verify his or her identity under the procedures set forth in § 1070.53(c), unless the requester has already done so in a related request for access or amendment.

(b) Burden of proof. In a request for amendment of a record, the requester bears the burden of proving by a preponderance of the evidence that the record is not accurate, relevant, timely, or complete.

(a) Time limits. The CFPB will acknowledge a request for amendment of records within ten (10) business days after it receives the request. In the acknowledgment, the CFPB may request additional information necessary for a determination on the request for amendment. The CFPB will make a determination on a request to amend a record promptly.

(b) Contents of response to a request for amendment. When the CFPB responds to a request for amendment, the CFPB will inform the requester in writing whether the request is granted or denied, in whole or in part. If the CFPB grants the request, it will take the necessary steps to amend the record and, when appropriate and possible, notify prior recipients of the record of its action. If the CFPB denies the request, in whole or in part, it will inform the requester in writing:

(1) Why the request (or portion of the request) was denied;

(2) That the requester has a right to appeal; and

(3) How to file an appeal.

(a) Appeal. A requester may appeal a denial of a request made pursuant to § 1070.53 or § 1070.56 within ten (10) business days after the CFPB notifies the requester that it has denied the request.

(b) Content of appeal. A requester may submit an appeal in writing as set forth in § 1070.53(a). The appeal shall be addressed to the General Counsel and labeled “Privacy Act Appeal.” The appeal must also:

(1) Specify the background of the request; and

(2) Provide reasons why the requester believes the denial is in error.

(c) Determination. The General Counsel will make a determination as to whether to grant or deny an appeal within thirty (30) business days from the date it is received, unless the General Counsel extends the time for good cause.

(1) If the General Counsel grants an appeal regarding a request for amendment, he or she will take the necessary steps to amend the record and, when appropriate and possible, notify prior recipients of the record of its action.

(2) If the General Counsel denies an appeal, he or she will inform the requester of such determination in writing, including the reasons for the denial, and the requester's right to file a statement of disagreement and to have a court review its decision.

(d) Statement of disagreement. (1) If the General Counsel denies an appeal regarding a request for amendment, a requester may file a concise statement of disagreement with the denial. The CFPB will maintain the requester's statement with the record that the requester sought to amend and any disclosure of the record will include a copy of the requester's statement of disagreement.

(2) When practicable and appropriate, the CFPB will provide a copy of the statement of disagreement to any prior recipients of the record.

The CFPB will not disclose any record about an individual contained in a system of records to any person or agency without the prior written consent of that individual unless the disclosure is authorized by 5 U.S.C. 552a(b). Disclosures authorized by 5 U.S.C. 552a(b) include disclosures that are compatible with one or more routine uses that are contained within the CFPB's Systems of Records Notices, which are available on the CFPB's website, at http://www.consumerfinance.gov.

(a) Exempt systems of records. Pursuant to 5 U.S.C. 552a(k)(2), the CFPB exempts the systems of records listed in paragraphs (a)(1) through (4) of this section from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G)-(H), and (f), and §§ 1070.53 through 1070.59, to the extent that such systems of records contain investigatory materials compiled for law enforcement purposes, provided, however, that if any individual is denied any right, privilege, or benefit to which he or she would otherwise be entitled under Federal law, or for which he or she would otherwise be eligible as a result of the maintenance of such material, such material shall be disclosed to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the CFPB under an express promise that the identity of the source would be held in confidence:

(1) CFPB.002 Depository Institution Supervision Database.

(2) CFPB.003 Non-Depository Institution Supervision Database.

(3) CFPB.004 Enforcement Database.

(4) CFPB.005 Consumer Response System.

(b) Information compiled for civil actions or proceedings. This subpart does not permit an individual to have access to any information compiled in reasonable anticipation of a civil action or proceeding.

(a) Training. The Chief Privacy Officer shall institute a training program to instruct CFPB employees and contractor personnel covered by 5 U.S.C. 552a(m), who are involved in the design, development, operation, or maintenance of any CFPB system of records, on a continuing basis with respect to the duties and responsibilities imposed on them and the rights conferred on individuals by the Privacy Act, the regulations in this subpart, and any other related regulations. Such training shall provide suitable emphasis on the civil and criminal penalties imposed on the CFPB and the individual employees or contractor personnel by the Privacy Act for non-compliance with specified requirements of the Act as implemented by the regulations in this subpart.

(b) Rules of conduct. The following rules of conduct are applicable to employees of the CFPB (including, to the extent required by the contract or 5 U.S.C. 552a(m), Government contractors and employees of such contractors), who are involved in the design, development, operation or maintenance of any system of records, or in maintaining any records, for or on behalf of the CFPB.

(1) The head of each office of the CFPB shall be responsible for assuring that employees subject to such official's supervision are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, and the regulations in this subpart, and that such employees are made aware of their individual and collective responsibilities to protect the security of personal information, to assure its accuracy, relevance, timeliness and completeness, to avoid unauthorized disclosure either orally or in writing, and to ensure that no system of records is maintained without public notice.

(2) Employees of the CFPB involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record shall:

(i) Collect no information of a personal nature from individuals unless authorized to collect it to achieve a function or carry out a responsibility of the CFPB;

(ii) Collect information, to the extent practicable, directly from the individual to whom it relates;

(iii) Inform each individual asked to supply information, on the form used to collect the information or on a separate form that can be retained by the individual of—

(A) The authority (whether granted by statute, or by executive order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary;

(B) The principal purpose or purposes for which the information is intended to be used;

(C) The routine uses which may be made of the information, as published pursuant to 5 U.S.C. 552a(e)(4)(D); and

(D) The effects on the individual, if any, of not providing all or any part of the requested information;

(iv) Not collect, maintain, use or disseminate information concerning an individual's religious or political beliefs or activities or membership in associations or organizations, unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;

(v) Advise their supervisors of the existence or contemplated development of any record system which is capable of retrieving information about individuals by individual identifier;

(vi) Assure that no records maintained in a CFPB system of records are disseminated without the permission of the individual about whom the record pertains, except when authorized by 5 U.S.C. 552a(b);

(vii) Maintain and process information concerning individuals with care in order to ensure that no inadvertent disclosure of the information is made either within or without the CFPB;

(viii) Prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to 5 U.S.C. 552a(b)(2), make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes; and

(ix) Assure that an accounting is kept in the prescribed form, of all dissemination of personal information outside the CFPB, whether made orally or in writing, unless disclosed under 5 U.S.C. 552 or subpart B of this part.

(3) The head of each office of the CFPB shall, at least annually, review the record systems subject to their supervision to ensure compliance with the provisions of the Privacy Act of 1974 and the regulations in this subpart.

The CFPB will preserve all correspondence pertaining to the requests that it receives under this part, as well as copies of all requested records, until disposition or destruction is authorized by title 44 of the United States Code or the National Archives and Records Administration's General Records Schedule 14. Records will not be disposed of or destroyed while they are the subject of a pending request, appeal, proceeding, or lawsuit.

The CFPB will ensure that employees authorized to collect information are aware:

(a) That individuals may not be denied any right, benefit, or privilege as a result of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and

(b) That individuals requested to provide their Social Security numbers must be informed of:

(1) Whether providing Social Security numbers is mandatory or voluntary;

(2) Any statutory or regulatory authority that authorizes the collection of Social Security numbers; and

(3) The uses that will be made of the numbers.