The Federal Housing Finance Agency (FHFA) issued this part to—

(a) Implement the Privacy Act, a Federal law that helps protect private information about individuals that Federal agencies collect or maintain. You should read this part together with the Privacy Act, which provides additional information about records maintained on individuals;

(b) Establish rules that apply to all FHFA and FHFA Office of Inspector General (FHFA-OIG) maintained systems of records retrievable by an individual's name or other personal identifier;

(c) Describe procedures through which you may request access to records, request amendment or correction of those records, or request an accounting of disclosures of those records by FHFA or FHFA-OIG;

(d) Inform you, that when it is appropriate to do so, FHFA or FHFA-OIG automatically processes a Privacy Act request for access to records under both the Privacy Act and FOIA, following the rules contained in this part and in FHFA's Freedom of Information Act regulation at part 1202 of this title so that you will receive the maximum amount of information available to you by law;

(e) Notify you that this part does not entitle you to any service or to the disclosure of any record to which you are not entitled under the Privacy Act. It also does not, and may not be relied upon, to create any substantive or procedural right or benefit enforceable against FHFA or FHFA-OIG; and

(f) Notify you that this part applies to both FHFA and FHFA-OIG.

The following definitions apply to the terms used in this part—

Access means making a record available to a subject individual.

Amendment means any correction of, addition to, or deletion from a record.

Court means any entity conducting a legal proceeding.

Days, unless stated as “calendar days,” are working days and do not include Saturdays, Sundays, and federal holidays. If the last day of any period prescribed herein falls on a Saturday, Sunday, or federal holiday, the last day of the period will be the next working day that is not a Saturday, Sunday, or federal holiday.

FHFA means the Federal Housing Finance Agency and includes its predecessor agencies, the Office of Federal Housing Enterprise Oversight (OFHEO) and the Federal Housing Finance Board (FHFB).

FHFA-OIG means the Office of Inspector General for FHFA.

FOIA means the Freedom of Information Act, as amended (5 U.S.C. 552).

Individual means a natural person who is either a citizen of the United States of America or an alien lawfully admitted for permanent residence.

Maintain includes collect, use, disseminate, or control.

Privacy Act means the Privacy Act of 1974, as amended (5 U.S.C. 552a).

Privacy Act Appeals Officer means a person designated by the FHFA Director to process appeals of denials of requests for or seeking amendment of records maintained by FHFA under the Privacy Act. For appeals pertaining to records maintained by FHFA-OIG, Privacy Act Appeals Officer means a person designated by the FHFA Inspector General to process appeals of denials of requests for or seeking amendment of records maintained by FHFA-OIG under the Privacy Act.

Privacy Act Officer means a person designated by the FHFA Director who has primary responsibility for privacy and data protection policy and is authorized to process requests for or amendment of records maintained by FHFA under the Privacy Act. For requests pertaining to records maintained by FHFA-OIG, Privacy Act Officer means a person designated by the FHFA Inspector General to process requests for or amendment of records maintained by FHFA-OIG under the Privacy Act.

Record means any item, collection, or grouping of information about an individual that FHFA or FHFA-OIG maintains within a system of records, including, but not limited to, the individual's name, an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print, or photograph.

Routine use means the purposes for which records and information contained in a system of records may be disclosed by FHFA or FHFA-OIG without the consent of the subject of the record. Routine uses for records are identified in each system of records notice. Routine use does not include disclosure that subsection (b) of the Privacy Act (5 U.S.C. 552a(b)) otherwise permits.

Senior Agency Official for Privacy means a person designated by the FHFA Director who has the authority and responsibility to oversee and supervise the FHFA privacy program and implementation of the Privacy Act.

System of Records means a group of records FHFA or FHFA-OIG maintains or controls from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Single records or groups of records that are not retrieved by a personal identifier are not part of a system of records.

System of Records Notice means a notice published in the Federal Register which announces the creation, deletion, or amendment of one or more system of records. System of records notices are also used to identify a system of records' routine uses.

(a) What is a valid request? In general, a Privacy Act request can be made on your own behalf for records or information about you. You can make a Privacy Act request on behalf of another individual as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent. You also may request access to another individual's record or information if you have that individual's written consent, unless other conditions of disclosure apply.

(b) How and where do I make a request? Your request must be in writing. Regardless of whether your request seeks records from FHFA, FHFA-OIG, or both, you may appear in person to submit your written request to the FHFA Privacy Act Officer, or send your written request to the FHFA Privacy Act Officer by electronic mail, mail, delivery service, or facsimile. The electronic mail address is: [email protected]. For mail or delivery service, the address is: FHFA Privacy Act Officer, Federal Housing Finance Agency, 400 Seventh Street, SW., Eighth Floor, Washington, DC 20219. The facsimile number is (202) 649-1073. Requests for FHFA-OIG maintained records will be forwarded to FHFA-OIG for processing and direct response. You can help FHFA and FHFA-OIG process your request by marking electronic mail, letters, or facsimiles and the subject line, envelope, or facsimile cover sheet with “Privacy Act Request.” FHFA's “Privacy Act Reference Guide,” which is available on FHFA's Web site, http://www.fhfa.gov, provides additional information to assist you in making your request.

(c) What must the request include? You must describe the record that you want in enough detail to enable either the FHFA or FHFA-OIG Privacy Act Officer to locate the system of records containing it with a reasonable amount of effort. Include specific information about each record sought, such as the time period in which you believe it was compiled, the name or identifying number of each system of records in which you believe it is kept, and the date, title or name, author, recipient, or subject matter of the record. As a general rule, the more specific you are about the record that you want, the more likely FHFA or FHFA-OIG will be able to locate it in response to your request.

(d) How do I request amendment or correction of a record? If you are requesting an amendment or correction of any FHFA or FHFA-OIG record, identify each particular record in question and the system of records in which the record is located, describe the amendment or correction that you want, and state why you believe that the record is not accurate, relevant, timely, or complete. You may submit any documentation that you think would be helpful, including an annotated copy of the record.

(e) How do I request for an accounting of disclosures? If you are requesting an accounting of disclosures by FHFA or FHFA-OIG of a record to another person, organization, or Federal agency, you must identify each particular record in question. An accounting generally includes the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or Federal agency to which the disclosure was made, subject to § 1204.7.

(f) Must I verify my identity? Yes. When making requests under the Privacy Act, your request must verify your identity to protect your privacy or the privacy of the individual on whose behalf you are acting. If you make a Privacy Act request and you do not follow these identity verification procedures, FHFA or FHFA-OIG cannot and will not process your request.

(1) How do I verify my identity? To verify your identity, you must state your full name, current address, and date and place of birth. In order to help identify and locate the records you request, you also may, at your option, include your Social Security number. If you make your request in person and your identity is not known to either the FHFA or FHFA-OIG Privacy Act Officer, you must provide either two forms of unexpired identification with photographs issued by a federal, state, or local government agency or entity (i.e. passport, passport card, driver's license, ID card, etc.), or one form of unexpired identification with a photograph issued by a federal, state, or local government agency or entity (i.e. passport, passport card, driver's license, ID card, etc.) and a properly authenticated birth certificate. If you make your request by mail, your signature either must be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. You may fulfill this requirement by having your signature on your request letter witnessed by a notary or by including the following statement just before the signature on your request letter: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on [date]. [Signature].”

(2) How do I verify parentage or guardianship? If you make a Privacy Act request as the parent or guardian of a minor, or as the guardian of someone determined by a court to be incompetent, with respect to records or information about that individual, you must establish—

(i) The identity of the individual who is the subject of the record, by stating the individual's name, current address, date and place of birth, and, at your option, the Social Security number of the individual;

(ii) Your own identity, as required in paragraph (f)(1) of this section;

(iii) That you are the parent or guardian of the individual, which you may prove by providing a properly authenticated copy of the individual's birth certificate showing your parentage or a properly authenticated court order establishing your guardianship; and

(iv) That you are acting on behalf of the individual in making the request.

[76 FR 51871, Aug. 19, 2011, as amended at 77 FR 4646, Jan. 31, 2012; 80 FR 80233, Dec. 24, 2015]

(a) How will FHFA or FHFA-OIG locate the requested records? FHFA or FHFA-OIG will search to determine if requested records exist in the system of records it owns or controls. You can find FHFA and FHFA-OIG system of records notices on our Web site at http://www.fhfa.gov. You can also find descriptions of OFHEO and FHFB system of records that have not yet been superseded on the FHFA Web site. A description of the system of records also is available in the “Privacy Act Issuances” compilation published by the Office of the Federal Register of the National Archives and Records Administration. You can access the “Privacy Act Issuances” compilation in most large reference and university libraries or electronically at the Government Printing Office Web site at: http://www.gpoaccess.gov/privacyact/index.html. You also can request a copy of FHFA or FHFA-OIG system of records from the Privacy Act Officer.

(b) How long does FHFA or FHFA-OIG have to respond? Either the FHFA or FHFA-OIG Privacy Act Officer generally will respond to your request in writing within 20 days after receiving it, if it meets the § 1204.3 requirements. For requests to amend a record, either the FHFA or FHFA-OIG Privacy Act Officer will respond within 10 days after receipt of the request to amend. FHFA or FHFA-OIG may extend the response time in unusual circumstances, such as when consultation is needed with another Federal agency (if that agency is subject to the Privacy Act) about a record or to retrieve a record shipped offsite for storage. If you submit your written request in person, either the FHFA or FHFA-OIG Privacy Act Officer may disclose records or information to you directly and create a written record of the grant of the request. If you are to be accompanied by another person when accessing your record or any information pertaining to you, FHFA or FHFA-OIG may require your written authorization before permitting access or discussing the record in the presence of the other person.

(c) What will the FHFA or FHFA-OIG response include? The written response will include a determination to grant or deny your request in whole or in part, a brief explanation of the reasons for the determination, and the amount of the fee charged, if any, under § 1204.6. If you are granted a request to access a record, FHFA or FHFA-OIG will make the record available to you. If you are granted a request to amend or correct a record, the response will describe any amendments or corrections made and advise you of your right to obtain a copy of the amended or corrected record.

(d) What is an adverse determination? An adverse determination is a determination on a Privacy Act request that—

(1) Withholds any requested record in whole or in part;

(2) Denies a request for an amendment or correction of a record in whole or in part;

(3) Declines to provide a requested accounting of disclosures;

(4) Advises that a requested record does not exist or cannot be located; or

(5) Finds what has been requested is not a record subject to the Privacy Act.

(e) What will be stated in a response that includes an adverse determination? If an adverse determination is made with respect to your request, either the FHFA or FHFA-OIG Privacy Act Officer's written response under this section will identify the person responsible for the adverse determination, state that the adverse determination is not a final action of FHFA or FHFA-OIG, and state that you may appeal the adverse determination under § 1204.5.

(a) May I appeal the response? You may appeal any adverse determination made in response to your Privacy Act request. If you wish to seek review by a court of any adverse determination or denial of a request, you must first appeal it under this section.

(b) How do I appeal the response?—(1) You may appeal by submitting in writing, a statement of the reasons you believe the adverse determination should be overturned. FHFA or FHFA-OIG must receive your written appeal within 30 calendar days of the date of the adverse determination under § 1204.4. Your written appeal may include as much or as little related information as you wish, as long as it clearly identifies the determination (including the request number, if known) that you are appealing.

(2) If FHFA or FHFA-OIG denied your request in whole or in part, you may appeal the denial by writing directly to the FHFA Privacy Act Appeals Officer through electronic mail, mail, delivery service, or facsimile. The electronic mail address is: [email protected]. For mail or express mail, the address is: FHFA Privacy Act Appeals Officer, Federal Housing Finance Agency, 400 Seventh Street, SW., Eighth Floor, Washington, DC 20219. The facsimile number is: (202) 649-1073. For appeals of FHFA-OIG denials, whether in whole or in part, the appeal must be clearly marked by adding “FHFA-OIG” after “Privacy Act Appeal.” All appeals from denials, in whole or part, made by FHFA-OIG will be forwarded to the FHFA-OIG Privacy Act Appeals Officer for processing and direct response. You can help FHFA and FHFA-OIG process your appeal by marking electronic mail, letters, or facsimiles and the subject line, envelope, or facsimile cover sheet with “Privacy Act Appeal.” FHFA's “Privacy Act Reference Guide,” which is available on FHFA's Web site, http://www.fhfa.gov, provides additional information to assist you in making your appeal. FHFA or FHFA-OIG ordinarily will not act on an appeal if the Privacy Act request becomes a matter of litigation.

(3) If you need more time to file your appeal, you may request an extension of time of no more than ten (10) calendar days in which to file your appeal, but only if your request is made within the original 30-calendar day time period for filing the appeal. Granting an extension is in the sole discretion of either the FHFA or FHFA-OIG Privacy Act Appeals Officer.

(c) Who has the authority to grant or deny appeals? For appeals from the FHFA Privacy Act Officer, the FHFA Privacy Act Appeals Officer is authorized to act on your appeal. For appeals from the FHFA-OIG Privacy Act Officer, the FHFA-OIG Privacy Act Appeals Officer is authorized to act on your appeal.

(d) When will FHFA or FHFA-OIG respond to my appeal? FHFA or FHFA-OIG generally will respond to you in writing within 30 days of receipt of an appeal that meets the requirements of paragraph (b) of this section, unless for good cause shown, the FHFA or FHFA-OIG Privacy Act Appeals Officer extends the response time.

(e) What will the FHFA or FHFA-OIG response include? The written response will include the determination of either the FHFA or FHFA-OIG Privacy Act Appeals Officer, whether to grant or deny your appeal in whole or in part, a brief explanation of the reasons for the determination, and information about the Privacy Act provisions for court review of the determination.

(1) If your appeal concerns a request for access to records or information and the appeal determination grants your access, the records or information, if any, will be made available to you.

(2)(i) If your appeal concerns an amendment or correction of a record and the appeal determination grants your request for an amendment or correction, the response will describe any amendment or correction made to the record and advise you of your right to obtain a copy of the amended or corrected record under this part. FHFA or FHFA-OIG will notify all persons, organizations, or Federal agencies to which it previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. Whenever the record is subsequently disclosed, the record will be disclosed as amended or corrected.

(ii) If the response to your appeal denies your request for an amendment or correction to a record, the response will advise you of your right to file a Statement of Disagreement under paragraph (f) of this section.

(f) What is a Statement of Disagreement?—(1) A Statement of Disagreement is a concise written statement in which you clearly identify each part of any record that you dispute and explain your reason(s) for disagreeing with either the FHFA or FHFA-OIG Privacy Act Appeals Officer's denial, in whole or in part, of your appeal requesting amendment or correction. Your Statement of Disagreement must be received by either the FHFA or FHFA-OIG Privacy Act Officer within 30 calendar days of either the FHFA or FHFA-OIG Privacy Act Appeals Officer's denial, in whole or in part, of your appeal concerning amendment or correction of a record. FHFA and FHFA-OIG will place your Statement of Disagreement in the system of records in which the disputed record is maintained. FHFA and FHFA-OIG may also append a concise statement of its reason(s) for denying the request for an amendment or correction of the record.

(2) FHFA and FHFA-OIG will notify all persons, organizations, and Federal agencies to which it previously disclosed the disputed record, if an accounting of that disclosure was made, that the record is disputed and provide your Statement of Disagreement and the FHFA or FHFA-OIG concise statement, if any. Whenever the disputed record is subsequently disclosed, a copy of your Statement of Disagreement and the FHFA or FHFA-OIG concise statement, if any, will also be disclosed.

[76 FR 51871, Aug. 19, 2011, as amended at 77 FR 4646, Jan. 31, 2012; 80 FR 80233, Dec. 24, 2015]

(a) Must I agree to pay fees? Your Privacy Act request is your agreement to pay all applicable fees, unless you specify a limit on the amount of fees you agree to pay. FHFA or FHFA-OIG will not exceed the specified limit without your written agreement.

(b) How does FHFA or FHFA-OIG calculate fees? FHFA and FHFA-OIG will charge a fee for duplication of a record under the Privacy Act in the same way it charges for duplication of records under FOIA in 12 CFR 1202.11. There are no fees to search for or review records.

(a) What is a Privacy Act exemption? The Privacy Act authorizes the Director and the FHFA Inspector General to exempt records or information in a system of records from some of the Privacy Act requirements, if the Director or the FHFA Inspector General, as appropriate, determines that the exemption is necessary.

(b) How do I know if the records or information I want are exempt?—(1) Each system of records notice will advise you if the Director or the FHFA Inspector General has determined records or information in records are exempt from Privacy Act requirements. If the Director or the FHFA Inspector General has claimed an exemption for a system of records, the system of records notice will identify the exemption and the provisions of the Privacy Act from which the system is exempt.

(2) Until superseded by FHFA or FHFA-OIG systems of records, the following OFHEO and FHFB systems of records are, under 5 U.S.C. 552a(k)(2) or (k)(5), exempt from the Privacy Act requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f)—

(i) OFHEO-11 Litigation and Enforcement Information System; and

(ii) FHFB-5 Agency Personnel Investigative Records.

(c) What exemptions potentially apply to FHFA-OIG records? Unless the FHFA Inspector General, his or her designee, or a statute specifically authorizes disclosure, FHFA-OIG will not release records of matters that are subject to the following exemptions—

(1) To the extent that the systems of records entitled “FHFA-OIG Audit Files Database,” “FHFA-OIG Investigative & Evaluative Files Database,” “FHFA-OIG Investigative & Evaluative MIS Database,” “FHFA-OIG Hotline Database,” and “FHFA-OIG Correspondence Database” contain any information compiled by FHFA-OIG for the purpose of criminal law enforcement investigations, such information falls within the scope of exemption (j)(2) of the Privacy Act, 5 U.S.C. 552a(j)(2), and therefore these systems of records are exempt from the requirements of the following subsections of the Privacy Act to that extent, for the reasons stated in paragraphs (1)(i) through (vi) of this section.

(i) From 5 U.S.C. 552a(c)(3), because release of an accounting of disclosures to an individual who is the subject of an investigation or evaluation could reveal the nature and scope of the investigation or evaluation and could result in the altering or destruction of evidence, improper influencing of witnesses, and other evasive actions that could impede or compromise the investigation or evaluation.

(ii) From 5 U.S.C. 552a(d)(1), because release of investigative or evaluative records to an individual who is the subject of an investigation or evaluation could interfere with pending or prospective law enforcement proceedings, constitute an unwarranted invasion of the personal privacy of third parties, reveal the identity of confidential sources, or reveal sensitive investigative or evaluative techniques and procedures.

(iii) From 5 U.S.C. 552a(d)(2), because amendment or correction of investigative or evaluative records could interfere with pending or prospective law enforcement proceedings, or could impose an impossible administrative and investigative or evaluative burden by requiring FHFA-OIG to continuously retrograde its investigations or evaluations attempting to resolve questions of accuracy, relevance, timeliness, and completeness.

(iv) From 5 U.S.C. 552a(e)(1), because it is often impossible to determine relevance or necessity of information in the early stages of an investigation or evaluation. The value of such information is a question of judgment and timing; what appears relevant and necessary when collected may ultimately be evaluated and viewed as irrelevant and unnecessary to an investigation or evaluation. In addition, FHFA-OIG may obtain information concerning the violation of laws other than those within the scope of its jurisdiction. In the interest of effective law enforcement, FHFA-OIG should retain this information because it may aid in establishing patterns of unlawful activity and provide leads for other law enforcement agencies. Further, in obtaining evidence during an investigation or evaluation, information may be provided to FHFA-OIG that relates to matters incidental to the main purpose of the investigation or evaluation, but which may be pertinent to the investigative or evaluative jurisdiction of another agency. Such information cannot readily be identified.

(v) From 5 U.S.C. 552a(e)(2), because in a law enforcement investigation or an evaluation it is usually counterproductive to collect information to the greatest extent practicable directly from the subject thereof. It is not always feasible to rely upon the subject of an investigation or evaluation as a source for information which may implicate him or her in illegal activities. In addition, collecting information directly from the subject could seriously compromise an investigation or evaluation by prematurely revealing its nature and scope, or could provide the subject with an opportunity to conceal criminal activities, or intimidate potential sources, in order to avoid apprehension.

(vi) From 5 U.S.C. 552a(e)(3), because providing such notice to the subject of an investigation or evaluation, or to other individual sources, could seriously compromise the investigation or evaluation by prematurely revealing its nature and scope, or could inhibit cooperation, permit the subject to evade apprehension, or cause interference with undercover activities.

(2) To the extent that the systems of records entitled “FHFA-OIG Audit Files Database,” “FHFA-OIG Investigative & Evaluative Files Database,” “FHFA-OIG Investigative & Evaluative MIS Database,” “FHFA-OIG Hotline Database,” and “FHFA-OIG Correspondence Database,” contain information compiled by FHFA-OIG for the purpose of criminal law enforcement investigations, such information falls within the scope of exemption (k)(2) of the Privacy Act, 5 U.S.C. 552a(k)(2), and therefore these systems of records are exempt from the requirements of the following subsections of the Privacy Act to that extent, for the reasons stated in paragraphs (c)(2)(i) through (iv) of this section.

(i) From 5 U.S.C. 552a(c)(3), because release of an accounting of disclosures to an individual who is the subject of an investigation or evaluation could reveal the nature and scope of the investigation or evaluation and could result in the altering or destruction of evidence, improper influencing of witnesses, and other evasive actions that could impede or compromise the investigation or evaluation.

(ii) From 5 U.S.C. 552a(d)(1), because release of investigative or evaluative records to an individual who is the subject of an investigation or evaluation could interfere with pending or prospective law enforcement proceedings, constitute an unwarranted invasion of the personal privacy of third parties, reveal the identity of confidential sources, or reveal sensitive investigative or evaluative techniques and procedures.

(iii) From 5 U.S.C. 552a(d)(2), because amendment or correction of investigative or evaluative records could interfere with pending or prospective law enforcement proceedings, or could impose an impossible administrative and investigative or evaluative burden by requiring FHFA-OIG to continuously retrograde its investigations or evaluations attempting to resolve questions of accuracy, relevance, timeliness, and completeness.

(iv) From 5 U.S.C. 552a(e)(1), because it is often impossible to determine relevance or necessity of information in the early stages of an investigation or evaluation. The value of such information is a question of judgment and timing; what appears relevant and necessary when collected may ultimately be evaluated and viewed as irrelevant and unnecessary to an investigation or evaluation. In addition, FHFA-OIG may obtain information concerning the violation of laws other than those within the scope of its jurisdiction. In the interest of effective law enforcement, FHFA-OIG should retain this information because it may aid in establishing patterns of unlawful activity and provide leads for other law enforcement agencies. Further, in obtaining evidence during an investigation or evaluation, information may be provided to FHFA-OIG that relates to matters incidental to the main purpose of the investigation or evaluation but which may be pertinent to the investigative or evaluative jurisdiction of another agency. Such information cannot readily be identified.

(3) To the extent that the systems of records entitled “FHFA-OIG Audit Files Database,” “FHFA-OIG Investigative & Evaluative Files Database,” “FHFA-OIG Investigative & Evaluative MIS Database,” “FHFA-OIG Hotline Database,” and “FHFA-OIG Correspondence Database” contain any investigatory material compiled by FHFA-OIG for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment or Federal contracts, the release of which would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, such information falls within the scope of exemption (k)(5) of the Privacy Act, 5 U.S.C. 552a(k)(5), and therefore these systems of records are exempt from the requirements of subsection (d)(1) of the Privacy Act to that extent, because release would reveal the identity of a source who furnished information to the Government under an express promise of confidentiality. Revealing the identity of a confidential source could impede future cooperation by sources, and could result in harassment or harm to such sources.

(a) What controls must FHFA and FHFA-OIG have in place? FHFA and FHFA-OIG must establish administrative and physical controls to prevent unauthorized access to their systems of records, unauthorized or inadvertent disclosure of records, and physical damage to or destruction of records. The stringency of these controls corresponds to the sensitivity of the records that the controls protect. At a minimum, the administrative and physical controls must ensure that—

(1) Records are protected from public view;

(2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them;

(3) Records are inaccessible to unauthorized persons outside of business hours; and

(4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form.

(b) Is access to records restricted? Access to records is restricted to authorized employees who require access in order to perform their official duties.

FHFA and FHFA-OIG collect Social Security numbers only when it is necessary and authorized. At least annually, the FHFA Privacy Act Officer or the Senior Agency Official for Privacy will inform employees who are authorized to collect information that—

(a) Individuals may not be denied any right, benefit, or privilege as a result of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and

(b) They must inform individuals who are asked to provide their Social Security numbers—

(1) If providing a Social Security number is mandatory or voluntary;

(2) If any statutory or regulatory authority authorizes collection of a Social Security number; and

(3) The uses that will be made of the Social Security number.

At least annually, the FHFA Privacy Act Officer or the Senior Agency Official for Privacy will inform employees about the provisions of the Privacy Act, including the Privacy Act's civil liability and criminal penalty provisions. Unless otherwise permitted by law, an authorized FHFA or FHFA-OIG employee shall—

(a) Collect from individuals only information that is relevant and necessary to discharge FHFA or FHFA-OIG responsibilities;

(b) Collect information about an individual directly from that individual whenever practicable;

(c) Inform each individual from whom information is collected of—

(1) The legal authority to collect the information and whether providing it is mandatory or voluntary;

(2) The principal purpose for which FHFA or FHFA-OIG intends to use the information;

(3) The routine uses FHFA or FHFA-OIG may make of the information; and

(4) The effects on the individual, if any, of not providing the information.

(d) Ensure that the employee's office does not maintain a system of records without public notice and notify appropriate officials of the existence or development of any system of records that is not the subject of a current or planned public notice;

(e) Maintain all records that are used in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

(f) Except for disclosures made under FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete;

(g) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by FHFA or FHFA-OIG to persons, organizations, or Federal agencies;

(h) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone; and

(i) Notify the appropriate official of any record that contains information that the Privacy Act does not permit FHFA or FHFA-OIG to maintain.

(a) The FHFA Inspector General is authorized under the Inspector General Act of 1978, as amended, to make written requests under 5 U.S.C. 552a(b)(7) for transfer of records maintained by other Federal agencies which are necessary to carry out an authorized law enforcement activity under the Inspector General Act of 1978, as amended.

(b) The FHFA Inspector General delegates the authority under paragraph (a) of this section to the following FHFA-OIG officials—

(1) Principal Deputy Inspector General;

(2) Deputy Inspector General for Audits;

(3) Deputy Inspector General for Investigations;

(4) Deputy Inspector General for Evaluations; and

(5) Deputy Inspector General for Administration.

(c) The officials listed in paragraph (b) of this section may not further delegate or re-delegate the authority described in paragraph (a) of this section.