This part contains the regulations the National Indian Gaming Commission (Commission) follows in implementing the Privacy Act of 1974. These regulations should be read together with the Privacy Act, which provides additional information about records maintained on individuals. The regulations in this part apply to all records contained within systems of records maintained by the Commission that are retrieved by an individual's name or personal identifier. They describe the procedures by which individuals may request access to records about themselves, request amendment or correction of those records, and request an accounting of disclosures of those records by the Commission. The Commission shall also process all Privacy Act requests for access to records under the Freedom of Information Act (FOIA), 5 U.S.C. 552, and the Commission's FOIA regulations contained in 25 CFR part 517, which gives requesters maximum disclosure.

For the purposes of this subpart:

(a) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence.

(b) Maintain means store, collect, use, or disseminate.

(c) Record means any item, collection, or grouping of information about an individual that is maintained by the Commission, including education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or identifying number, symbol, or other identifier assigned to the individual, such as social security number, finger or voice print, or photograph.

(d) System of records means a group of any records under the control of the Commission from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

(e) Routine use means use of a record for a purpose that is compatible with the purpose for which it was collected.

(f) Working day means a Federal workday that does not include Saturdays, Sundays, or Federal holidays.

(a) How made and addressed. Any individual may make a request to the Commission for access to records about him or herself. Such requests shall conform to the requirements of this section. The request may be made in person at 90 K Street NE., Suite 200, Washington, DC 20002 during the hours of 9 a.m. to 12 noon and 2 p.m. to 5 p.m. Monday through Friday, in writing at NIGC Attn: Privacy Act Office, 1849 C Street NW., Mail Stop #1621, Washington, DC 20240, or via electronic mail addressed to [email protected].

(b) Description of records sought. Each request for access to records must describe the records sought in enough detail to enable Commission personnel to locate the system of records containing them with a reasonable amount of effort. Whenever possible, the request should describe the records sought, the time periods in which the records were compiled, any tribal gaming facility with which they were associated, and the name or identifying number of each system of records in which the records are kept.

(c) Agreement to pay fees. Requests shall also include a statement indicating the maximum amount of fees the requester is willing to pay to obtain the requested information. The requester must send acknowledgment to the Privacy Act Officer indicating his/her willingness to pay the fees. Absent such an acknowledgment within the specified time frame, the request will be considered incomplete, no further work shall be done, and the request will be administratively closed.

(d) Verification of identity. When making a request for access to records the individual seeking access must provide verification of identity. The requester must provide a full name, current address, and date and place of birth. The request must be signed and must either be notarized or submitted under 28 U.S.C. 1746, which is a law that permits statements to be made under penalty of perjury as a substitute for notarization. In order to assist in the identification and location of requested records, a request may also, at the requester's option, include a social security number.

(e) Verification of guardianship. When making a request as a parent or guardian of a minor or as the guardian of someone determined by a court to be incompetent, for access to records about that individual, the request must establish:

(1) The identity of the individual who is the subject of the record by stating the name, current address, date and place of birth, and, at the requester's option, the social security number of the individual;

(2) The requester's own identity, as required in paragraph (d) of this section;

(3) That the requester is the parent or guardian of the individual and proof of such relationship by providing a birth certificate showing parentage or a court order establishing guardianship; and

(4) That the requester is acting on behalf of that individual in making the request.

(f) Verification in the case of third party information requests. Any individual who desires to have a record covered by this part disclosed to or mailed to another person may designate such person and authorize such person to act as his or her agent for that specific purpose. The authorization shall be in writing, signed by the individual whose record is requested, and notarized or witnessed as provided in paragraph (d) of this section.

(g) In-person disclosures. An individual to whom a record is to be disclosed in person, pursuant to this section, may have a person of his or her own choosing accompany him or her when the record is disclosed. If a requester is accompanied by another individual, the requester shall be required to authorize in writing any discussion of the records in the presence of the other person.

(a) In general. In determining which records are responsive to a request, the Commission ordinarily will include only records in its possession as of the date it begins its search for records. If any other date is used, the Privacy Act Officer shall inform the requester of that date.

(b) Authority to grant or deny requests. The Privacy Act Officer shall make initial determinations either to grant or deny in whole or in part access to records.

(c) Consultations and referrals. When the Commission receives a request for a record in its possession, the Privacy Act Officer shall determine whether another agency of the Federal Government is better able to determine whether the record is exempt from disclosure under the Privacy Act. If the Privacy Act Officer determines that it is best able to process the record in response to the request, then it shall do so. If the Privacy Act Officer determines that it is not best able to process the record, then it shall either:

(1) Respond to the request regarding that record, after consulting with the agency best able to determine whether to disclose it and with any other agency that has a substantial interest in it; or

(2) Refer the responsibility for responding to the request regarding that record to the agency best able to determine whether to disclose it, or to another agency that originated the record. Ordinarily, the agency that originated a record will be presumed to be best able to determine whether to disclose it.

(d) Notice of referral. Whenever the Privacy Act Officer refers all or any part of the responsibility for responding to a request to another agency, it ordinarily shall notify the requester of the referral and inform the requester of the name of each agency to which the request has been referred and of the part of the request that has been referred.

(a) Acknowledgement of requests. Upon receipt of a request, the Privacy Act Officer ordinarily shall, within 20 working days, send an acknowledgement letter which shall confirm the requester's agreement to pay fees under § 515.9 and provide an assigned request number.

(b) Grants of requests for access. Once the Privacy Act Officer makes a determination to grant a request for access in whole or in part, it shall notify the requester in writing. The notice shall inform the requester of any fee charged under § 515.9 of this part and the Privacy Act Officer shall disclose records to the requester promptly on payment of any applicable fee. If a request is made in person, the Privacy Act Officer will disclose the records to the requester directly, in a manner not unreasonably disruptive of its operations, on payment of any applicable fee and with a written record made of the grant of the request. If a requester is accompanied by another individual, the requester shall be required to authorize in writing any discussion of the records in the presence of the other person.

(c) Adverse determinations of requests for access. If the Privacy Act Officer makes any adverse determination denying a request for access in any respect, it shall notify the requester of that determination in writing. The notification letter shall be signed by the official making the determination and include:

(1) The name and title of the person responsible for the denial;

(2) A brief statement of the reason(s) for the denial, including any Privacy Act exemption(s) applied to the denial;

(3) A statement that the denial may be appealed under § 515.7 and a description of the requirements of § 515.7.

(a) How made and addressed. An individual may make a request for an amendment or correction to a Commission record about that individual by writing directly to the Privacy Act Officer, following the procedures in § 515.3. The request should identify each particular record in question, state the amendment or correction that is sought, and state why the record is not accurate, relevant, timely, or complete. The request may include any documentation that would be helpful to substantiate the reasons for the amendment sought.

(b) Privacy Act Officer response. The Privacy Act Officer shall, not later than 10 working days after receipt of a request for an amendment or correction of a record, acknowledge receipt of the request and provide notification of whether the request is granted or denied. If the request is granted in whole or in part, the Privacy Act Officer shall describe the amendment or correction made and shall advise the requester of the right to obtain a copy of the amended or corrected record. If the request is denied in whole or in part, the Privacy Act Officer shall send a letter signed by the denying official stating:

(1) The reason(s) for the denial; and

(2) The procedure for appeal of the denial under paragraph (c) of this section.

(c) Appeals. A requester may appeal a denial of a request for amendment or correction in the same manner as a denial of a request for access as described in § 515.7. If the appeal is denied, the requester shall be advised of the right to file a Statement of Disagreement as described in paragraph (d) of this section and of the right under the Privacy Act for judicial review of the decision.

(d) Statements of Disagreement. If the appeal under this section is denied in whole or in part, the requester has the right to file a Statement of Disagreement that states the reason(s) for disagreeing with the Privacy Act Officer's denial of the request for amendment or correction. Statements of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. The Statement of Disagreement shall be placed in the system of records in which the disputed record is maintained and the record shall be marked to indicate a Statement of Disagreement has been filed.

(e) Notification of amendment, correction, or disagreement. Within 30 working days of the amendment or correction of the record, the Privacy Act Officer shall notify all persons, organizations, or agencies to which it previously disclosed the record, and if an accounting of that disclosure was made, that the record has been amended or corrected. If a Statement of Disagreement was filed, the Commission shall append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request to amend the record.

(f) Records not subject to amendment. Section 515.13 lists the records that are exempt from amendment or correction.

(a) Adverse determination. An initial adverse agency determination of a request may consist of: A determination to withhold any requested record in whole or in part; a determination that a requested record does not exist or cannot be located; a determination that the requested record is not a record subject to the Privacy Act; a determination that a record will not be amended; a determination to deny a request for an accounting; a determination on any disputed fee matter; and any associated denial of a request for expedited treatment under the Commission's FOIA regulations.

(b) Appeals. If the Privacy Act Officer issues an adverse determination in response to a request, the requester may file a written notice of appeal. The notice shall be accompanied by the original request, the initial adverse determination that is being appealed, and a statement describing why the adverse determination was in error. The appeal shall be addressed to the Privacy Act Appeals Officer at the locations listed in § 515.3 of this part no later than 90 calendar days after the date of the letter denying the request. Both the appeal letter and envelope should be marked “Privacy Act Appeal.” Any Privacy Act appeals submitted via electronic mail should state “Privacy Act Appeal” in the subject line.

(c) Responses to appeals. The decision on appeal will be made in writing within 20 working days of receipt of the notice of appeal by the Privacy Act Appeals Officer. For good cause shown, however, the Privacy Act Appeals Officer may extend the 20 day working period. If such an extension is taken, the requester shall be promptly notified of such extension and the anticipated date of decision. A decision affirming an adverse determination in whole or in part will include a brief statement of the reason(s) for the determination, including any Privacy Act exemption(s) applied. If the adverse determination is reversed or modified in whole or in part, the requester will be notified in a written decision and the request will be reprocessed in accordance with that appeal decision. The response to the appeal shall also advise of the right to institute a civil action in a federal district court for judicial review of the decision.

(d) When appeal is required. In order to institute a civil action in a federal district court for judicial review of an adverse determination, a requester must first appeal it under this section.

(a) How made and addressed. Subject to the exceptions listed in paragraph (b) of this section, an individual may make a request for an accounting of the disclosures of any record about that individual that the Commission has made to another person, organization, or agency. The accounting contains the date, nature and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. The request for an accounting should identify each particular record in question and should be made in writing to the Commission's Privacy Act Officer, following the procedures in § 515.3.

(b) Where accountings are not required. The Commission is not required to provide an accounting where they relate to:

(1) Disclosures for which accountings are not required to be kept, such as those that are made to employees of the Commission who have a need for the record in the performance of their duties and disclosures that are made under section 552 of title 5;

(2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which the disclosures are sought; or

(3) Disclosures made from law enforcement systems of records that have been exempted from accounting requirements.

(c) Appeals. A requester may appeal a denial of a request for an accounting in the same manner as a denial of a request for access as described in § 515.7 of this part and the same procedures will be followed.

(d) Preservation of accountings. All accountings made under this section will be retained for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made.

(a) Court-ordered disclosures. When a record pertaining to an individual is required to be disclosed by a court order, the Privacy Act Officer shall make reasonable efforts to provide notice of this to the individual. Notice shall be given within a reasonable time after the Privacy Act Officer's receipt of the order—except that in a case in which the order is not a matter of public record, the notice shall be given only after the order becomes public. This notice shall be mailed to the individual's last known address and shall contain a copy of the order and a description of the information disclosed. Notice shall not be given if disclosure is made from a criminal law enforcement system of records that has been exempted from the notice requirement.

(b) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting health or safety, the Privacy Act Officer shall, within a reasonable time, notify that individual of the disclosure. This notice shall be mailed to the individual's last known address and shall state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying disclosure.

The Commission shall charge fees for duplication of records under the Privacy Act in the same way in which it charges duplication fees under § 517.9 of this chapter. No search or review fee may be charged for any record. Additionally, when the Privacy Act Officer makes a copy of a record as a necessary part of reviewing the record or granting access to the record, the Commission shall not charge for the cost of making that copy. Otherwise, the Commission may charge a fee sufficient to cover the cost of duplicating a record.

Any person who makes a false statement in connection with any request for access to a record, or an amendment thereto, under this part, is subject to the penalties prescribed in 18 U.S.C. 494 and 495.

(a) The following systems of records are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1) and (f):

(1) Indian Gaming Individuals Records System.

(2) Management Contract Individuals Record System.

(b) The exemptions under paragraph (a) of this section apply only to the extent that information in these systems is subject to exemption under 5 U.S.C. 552a(k)(2). When compliance would not appear to interfere with or adversely affect the overall responsibilities of the Commission, with respect to licensing of key employees and primary management officials for employment in an Indian gaming operation or verifying the suitability of an individual who has a financial interest in, or management responsibility for a management contract, the applicable exemption may be waived by the Commission.

(c) Exemptions from the particular sections are justified for the following reasons:

(1) From 5 U.S.C. 552a(c)(3), because making available the accounting of disclosures to an individual who is the subject of a record could reveal investigative interest. This would permit the individual to take measures to destroy evidence, intimidate potential witnesses, or flee the area to avoid the investigation.

(2) From 5 U.S.C. 552a(d), (e)(1), and (f) concerning individual access to records, when such access could compromise classified information related to national security, interfere with a pending investigation or internal inquiry, constitute an unwarranted invasion of privacy, reveal a sensitive investigative technique, or pose a potential threat to the Commission or its employees or to law enforcement personnel. Additionally, access could reveal the identity of a source who provided information under an express promise of confidentiality.

(3) From 5 U.S.C. 552a(d)(2), because to require the Commission to amend information thought to be incorrect, irrelevant, or untimely, because of the nature of the information collected and the length of time it is maintained, would create an impossible administrative and investigative burden by continually forcing the Commission to resolve questions of accuracy, relevance, timeliness, and completeness.

(4) From 5 U.S.C. 552a(e)(1) because:

(i) It is not always possible to determine relevance or necessity of specific information in the early stages of an investigation.

(ii) Relevance and necessity are matters of judgment and timing in that what appears relevant and necessary when collected may be deemed unnecessary later. Only after information is assessed can its relevance and necessity be established.

(iii) In any investigation the Commission may receive information concerning violations of law under the jurisdiction of another agency. In the interest of effective law enforcement and under 25 U.S.C. 2716(b), the information could be relevant to an investigation by the Commission.

(iv) In the interviewing of individuals or obtaining evidence in other ways during an investigation, the Commission could obtain information that may or may not appear relevant at any given time; however, the information could be relevant to another investigation by the Commission.