(a) Purpose and scope. (1) This subpart contains the rules that the Department of Justice (“DOJ” or “the Department”) follows when handling records maintained by the Department in a system of records, in accordance with the Privacy Act of 1974, as amended, 5 U.S.C. 552a (“Privacy Act” or “PA”). This subpart describes the procedures by which individuals can be notified if a Department system of records contains records about themselves, may request access to records about themselves maintained in a Department system of records, may request amendment or correction of records about themselves maintained in a Department system of records, and may request an accounting of disclosures of records about themselves maintained in a Department system of records. This subpart also establishes other procedures on the appropriate maintenance of records by the Department and when Privacy Act exemptions may apply. This subpart should be read together with the Privacy Act, which provides additional information about records maintained in agency systems of records, including those of the Department.

(2) This subpart contains the procedures that the Department follows when handling covered records maintained by the Department in a system of records, in accordance with the Judicial Redress Act of 2015, 5 U.S.C. 552a note (“Judicial Redress Act”). This subpart should be read together with the Privacy Act and the Judicial Redress Act, which provide additional information about covered records maintained in agency systems of records, including those of the Department.

(3) This subpart contains the procedures that the Department follows when collecting, using, maintaining, or disclosing Social Security account numbers, in accordance with the Privacy Act and the Social Security Number Fraud Prevention Act of 2017, 42 U.S.C. 405 note (“Social Security Number Fraud Prevention Act”). This subpart should be read together with the Privacy Act and the Social Security Number Fraud Prevention Act, which provide additional information about agencies' maintenance of Social Security account numbers, including that of the Department.

(b) Relationship to the Freedom of Information Act. The Department also processes Privacy Act requests for access to records under the Freedom of Information Act (FOIA), 5 U.S.C. 552, following the rules contained in subpart A of this part, which gives requesters the benefits of both statutes.

(c) Definitions. In addition to the definitions found under 5 U.S.C. 552a(a), and section (2)(h) of the Judicial Redress Act, as used in this subpart:

Component means each separate bureau, office, board, division, commission, service, or administration of the Department.

Privacy Act request for access means a request made in accordance with 5 U.S.C. 552a(d)(1), and includes requests for a Privacy Act access appeal, in accordance with this subpart.

Privacy Act request for amendment or correction means a request made in accordance with 5 U.S.C. 552a(d)(2)-(4), and includes requests for a Privacy Act amendment or correction appeal, in accordance with this subpart.

Privacy Act request for an accounting means a request made in accordance with 5 U.S.C. 552a(c)(3).

Requester means an individual who makes a Privacy Act request for access, a Privacy Act request for amendment or correction, a Privacy Act request for an accounting, or, as provided by the Judicial Redress Act, a covered person who makes either a Privacy Act request for access or a Privacy Act request for amendment or correction to covered records.

System of Records Notice means the notice(s) published by the Department in the Federal Register upon the establishment or modification of a system of records describing the existence and character of the system of records. A System of Records Notice (“SORN”) may be composed of a single Federal Register notice addressing all of the required elements that describe the current system of records, or it may be composed of multiple Federal Register notices that together address all of the required elements.

(d) Authority to request records for a law enforcement purpose. The head of a component or a United States Attorney, or either's designee, is authorized to make written requests under 5 U.S.C. 552a(b)(7), for records maintained by other agencies that are necessary to carry out an authorized law enforcement activity. The request must specify the particular portion desired and the law enforcement activity for which the record is sought.

(e) Judicial Redress Act application. (1) With respect to covered records, the Judicial Redress Act authorizes a covered person to bring a civil action against the Department and obtain civil remedies, in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an individual may bring a civil action and obtain civil remedies with respect to records under 5 U.S.C. 552a(g)(1)(A), (B).

(2) To the extent consistent with the Judicial Redress Act, when making a request for access, amendment, or correction to a covered record, a covered person must follow the procedures outlined in this subpart for making a Privacy Act request for access to a covered record, or a Privacy Act request for amendment or correction of a covered record. A covered person must exhaust the administrative remedies, as outlined in this subpart, before the covered person may bring a cause of action described in paragraph (e)(1) of this section.

(f) Providing written consent to disclose records protected under the Privacy Act. The Department may disclose any record contained in a system of records by any means of communication to any person, or to another agency, pursuant to a written request by, or with the prior written consent of, the individual about whom the record pertains. An individual must verify the individual's identity in the same manner as required by § 16.41(d) when providing written consent to disclose a record protected under the Privacy Act and pertaining to the individual.

(a) General information. (1) The Department has a decentralized system for responding to Privacy Act requests for access to records, with each component designating an office to process Privacy Act requests for access to records maintained by that component. A requester may make a Privacy Act request for access to records about the requester by writing directly to the component that maintains the records. All components have the capability to receive requests electronically either through email or a web portal. The request should be sent or delivered to the component's office at the address listed in appendix I to this part, or in accordance with the access procedures outlined in the corresponding SORN. The functions of each component are summarized in part 0 of this title and in the description of the Department and its components in the United States Government Manual, which is updated on a year-round basis and is available free of charge at https://www.usgovernmentmanual.gov/.

(2) If a requester cannot determine where within the Department to send the Privacy Act request for access to records, the requester may send it by mail to the FOIA/PA Mail Referral Unit, Justice Management Division, Department of Justice, 950 Pennsylvania Avenue NW, Washington, DC 20530-0001; by email to [email protected]; or by fax to (202) 616-6695. The Mail Referral Unit will forward the request to the component(s) it believes most likely to have the requested records. For the quickest possible handling, the requester should mark both the request letter and the envelope “Privacy Act Access Request.”

(b) Description of records sought. Requesters must describe the records sought in sufficient detail to enable Department personnel to locate the applicable system of records containing them with a reasonable amount of effort. To the extent possible, requesters should include specific information that may assist a component in identifying the requested records, such as the name or identifying number of each system of records in which the requester believes the records are maintained, or the date, title, name, author, recipient, case number, file designation, reference number, or subject matter of the record. The Department publishes SORNs in the Federal Register that describe the type and categories of records maintained in Department-wide and component-specific systems of records. Department SORNs may be found in published issues of the Federal Register and a list is available at https://www.justice.gov/opcl/doj-systems-records. Requesters may also request the record in a particular form or format.

(c) Agreement to pay fees. A Privacy Act request for access may specify the amount of fees that the requester is willing to pay in accordance with § 16.49. The component responsible for responding to the request shall confirm this agreement in an acknowledgement letter, in accordance with § 16.43.

(d) Verification of identity. (1) A requester must verify the requester's identity when making a Privacy Act request for access. The requester must state the requester's full name, current address, and date and place of birth. The requester must:

(i) Sign the request, and the signature must either be notarized or submitted by the requester under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization; or

(ii) When available, use one of the Department's approved digital services, as indicated on the Department's Privacy Act Request web page, to verify the identity of the requester through identity proofing and authentication processes.

(2) While no specific form is required, the requester may obtain forms for this purpose from the FOIA/PA Mail Referral Unit, Justice Management Division, Department of Justice, 950 Pennsylvania Avenue NW, Washington, DC 20530-0001, or obtain the form at https://www.justice.gov/oip/doj-reference-guide-attachment-d-copies-forms.

(3) To help identify and locate requested records, a requester may also include, at the requester's option, any additional identifying information which may be helpful in identifying and locating the requested records. Components shall establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of information provided by the requester, and to protect against any anticipated threats, in accordance with § 16.51.

(e) Verification of guardianship. (1) The parent of a minor, or the legal guardian of an individual who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, is permitted to act on behalf of the individual. In order for a parent of a minor or the legal guardian of an individual to make a Privacy Act request for access on behalf of the individual, the parent or legal guardian must establish:

(i) The identity of the individual who is the subject of the request, by stating the name, current address, date and place of birth, and, at the parent or legal guardian's option, any additional identifying information that may be helpful in identifying and locating the requested records;

(ii) The parent or legal guardian's own identity, as required in paragraph (d) of this section;

(iii) Proof of parentage or legal guardianship, which may be proven by providing a copy of the individual's birth certificate or by providing a court order establishing legal guardianship; and

(iv) That the parent or legal guardian is acting on behalf of that individual in making the request.

(2) Components shall establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of information provided by the parent or legal guardian, and to protect against any anticipated threats, in accordance with § 16.51.

(a) In general. Except as stated in paragraphs (c) through (f) of this section, the component that first receives a Privacy Act request for access is the component responsible for responding to the request. In determining which records are responsive to a request, a component ordinarily will include only those records it maintained as of the date the component begins its search. If any other date is used, the component shall inform the requester of that date.

(b) Authority to grant or deny requests. The head of a component, or the component head's designee, is authorized to grant or deny any Privacy Act request for access to records maintained by that component.

(c) Re-routing of misdirected requests. When a component's FOIA/Privacy Act office determines that a request was misdirected within the Department, the receiving component's FOIA/Privacy Act office shall route the request to the FOIA/Privacy Act office of the proper component(s).

(d) Consultations, referrals, and coordination. When a component receives a Privacy Act request for access to a record in its possession, it shall determine whether another component, or another agency of the Federal Government, is better able to determine whether the record is exempt from access under the Privacy Act. If the receiving component determines that it is best able to process the record in response to the request, then it shall do so. If the receiving component determines that it is not best able to process the record, then it shall follow the consultation, referral, and coordination procedures under § 16.4, subject to the requirements in this section. Components may make agreements with other components or agencies to eliminate the need for consultations or referrals for particular types of records.

(e) Consultations, referrals, and coordination concerning law enforcement information. When a component receives a Privacy Act request for access to a record in its possession containing information that relates to an investigation of a possible violation of law and that originated with another component or agency of the Federal Government, the receiving component shall either refer the responsibility for responding to the request regarding that information to that other component or agency or shall consult with that other component or agency.

(f) Consultations, referrals, and coordination concerning classified information. (1) When a component receives a Privacy Act request for access to a record containing information that has been classified or may be appropriate for classification by another component or agency under any applicable Executive order concerning the classification of records, the receiving component shall consult with or refer the responsibility for responding to the request regarding that information to the component or agency that classified the information, or that should consider the information for classification.

(2) When a component receives a Privacy Act request for access to a record containing information that has been derivatively classified, the receiving component shall consult with or refer the responsibility for responding to that portion of the request to the component or agency that classified the underlying information.

(a) In general. Components should, to the extent practicable, communicate with requesters who have access to the internet using electronic means, such as through email or a web portal. A component shall honor a requester's preference for receiving a record in a particular form or format where it is readily reproducible by the component in the form or format requested.

(b) Acknowledgement of requests. The component responsible for responding to the request must acknowledge, in writing, receipt of a Privacy Act request for access. A component shall initially respond to the requester by acknowledging the Privacy Act request for access, assigning the request an individualized tracking number, and, if applicable, confirming, in writing, the requester's agreement to pay fees in accordance with § 16.49.

(c) Timing of responses to a Privacy Act request for access. (1) Components ordinarily will respond to Privacy Act requests for access according to their order of receipt. The response time will commence on the date that the request is received by the proper component's office designated to receive requests, but in any event not later than ten (10) working days after the request is first received by any component's office designated by this subpart to receive requests.

(2) A component may designate multiple processing tracks that distinguish between simple and more complex Privacy Act requests for access, based on the estimated amount of work or time needed to process the request. Among the factors a component may consider are the number of pages involved in processing the request and the need for consultations or referrals. Components may advise requesters of the track into which their request falls and, when appropriate, may offer requesters an opportunity to narrow their request so that it can be placed in a different processing track.

(d) Granting a Privacy Act request for access. Once a component makes a determination to grant a Privacy Act request for access, in whole or in part, it shall notify the requester in writing. The component shall inform the requester in the notice of any fee charged under § 16.49 and shall disclose records to the requester promptly on payment of any applicable fee.

(e) Adverse determination to a Privacy Act request for access. A component that makes an adverse determination to a Privacy Act request for access, in whole or in part, shall notify the requester of the adverse determination in writing. An adverse determination to a Privacy Act request for access includes a determination by the component that: the request did not reasonably describe the record sought; the information requested is not a record subject to the Privacy Act; the requested record is not maintained in a system of records; the requested record is exempt, in whole or in part, from a Privacy Act request for access under applicable exemption(s); the requested record does not exist, cannot be located, or has been destroyed; the record is not readily reproducible in a comprehensible form; or there is a matter regarding disputed fees.

(f) Content of adverse determination response. An adverse determination to a Privacy Act request for access, in whole or in part, shall be signed by the head of the component, or the component head's designee, and shall include:

(1) The name and title or position of the person responsible for the adverse determination to the Privacy Act request for access;

(2) A brief statement of the reason(s) for the adverse determination to the Privacy Act request for access, including any Privacy Act exemption(s) applied by the component;

(3) An estimate of the volume of any records or information withheld, if applicable, such as the number of pages or some other reasonable form of estimation, although such an estimate is not required if the volume is otherwise indicated or if providing an estimate would harm an interest protected by an applicable exemption; and

(4) A statement that the adverse determination to the Privacy Act request for access may be appealed under § 16.45, and a description of the requirements set forth in § 16.45.

In processing a Privacy Act request for access, a Privacy Act request for amendment or correction, or a Privacy Act request for accounting, in which information is classified under any applicable Executive order concerning the classification of records, to the extent the requester lacks the appropriate security clearance and fails otherwise to meet all requirements to access the classified record or information, the originating component shall review the information in the record to determine whether it should remain classified. Information determined to no longer require classification shall be de-classified and the record evaluated for an appropriate release to the requester, subject to any applicable exemptions or exceptions. On receipt of any appeal involving classified information, the official responsible for adjudicating the appeal shall take appropriate action to ensure compliance with part 17 of this title.

(a) Requirement for making a Privacy Act access appeal. A requester may appeal an adverse determination to a Privacy Act request for access to the Office of Information Policy (“OIP”). The contact information for OIP is contained in the FOIA Reference Guide, which is available at https://www.justice.gov/oip/04_3.html. Appeals may also be submitted through the web portal accessible on OIP's website. Examples of an adverse determination to a Privacy Act request for access are provided in § 16.43. The requester must make the appeal in writing. To be considered timely, the requester must postmark, or in the case of electronic submissions, submit the request, within 90 calendar days after the date of the adverse determination. The appeal should indicate the assigned request number and clearly identify the component's determination that is being appealed. To facilitate handling, the requester should mark both the appeal letter and envelope, or include in the subject line of any electronic communication, “Privacy Act Access Appeal.”

(b) Adjudication of Privacy Act access appeals. (1) The Director of OIP, or a designee of the Director of OIP, shall act on behalf of the Attorney General on all Privacy Act access appeals under this section, unless the Attorney General directs otherwise.

(2) Should the Attorney General exercise the right to respond to a Privacy Act request for access, the Attorney General's decision shall serve as the final action of the Department and will not be subject to a Privacy Act access appeal.

(3) A Privacy Act access appeal ordinarily will not be adjudicated if the request becomes a matter of litigation.

(c) Responses to Privacy Act access appeals. (1) OIP shall make its decision on an appeal in writing.

(2) A decision that upholds a component's adverse determination to the Privacy Act request for access, in whole or in part, shall include a brief statement of the reason(s) for the affirmance, including any Privacy Act exemption applied, and shall provide the requester with notification of the statutory right to file a lawsuit.

(3) A decision that reverses or modifies, in whole or in part, a component's adverse determination to the Privacy Act request for access shall include notice to the requester of the specific reversal or modification. The component(s) shall thereafter further process the request, in accordance with the appeal decision, and respond directly to the requester, as appropriate.

(d) When a Privacy Act access appeal is required. Before seeking review by a court of a component's refusal to grant a Privacy Act request for access, a requester generally must first submit a timely appeal in accordance with this section.

(a) Requirements for making a Privacy Act request for amendment or correction. Unless the record is not subject to amendment or correction, as stated in paragraph (i) of this section, individuals may make a Privacy Act request for amendment or correction of a Department record about themselves. Requesters must write directly to the Department component that maintains the record. A Privacy Act request for amendment or correction shall identify each particular record in question, state the amendment or correction that the requester would like to make, and state why the requester believes the record is not accurate, relevant, timely, or complete. Requesters may submit any documentation that would be helpful in determining the accuracy, relevance, timeliness, or completeness of the record. If the requester believes that the same record is in more than one Department system of records, the requester should address the request to each component that the requester believes maintains the record. For the quickest possible handling, requesters should mark both their request letter and envelope “Privacy Act Amendment Request.” Components and requesters must otherwise follow the procedures and responsibilities set forth in §§ 16.41 and 16.42.

(b) Timing of responses to a Privacy Act request for amendment or correction. (1) Components responsible for responding to a Privacy Act request for amendment or correction must acknowledge, in writing, receipt of the request no later than ten (10) working days after receipt.

(2) Components must promptly respond to a Privacy Act request for amendment or correction. Components ordinarily will respond to Privacy Act requests for amendment or correction according to their order of receipt. The response time will commence on the date that the request is received by the proper component's office designated to receive requests, but in any event no later than ten (10) working days after the request is first received by any component's office designated by this subpart to receive requests.

(3) A component may designate multiple processing tracks that distinguish between simple and more complex Privacy Act requests for amendment or correction, based on the estimated amount of work or time needed to process the request. Among the factors a component may consider are the number of pages involved in processing the request and the need for consultations or referrals. Components may advise requesters of the track into which their request falls and, when appropriate, may offer requesters an opportunity to narrow their request so that it can be placed in a different processing track.

(c) Granting a Privacy Act request for amendment or correction. If a component grants a Privacy Act request for amendment or correction, in whole or in part, it shall notify the requester in writing. The component shall describe the amendment or correction made and shall advise the requester of the requester's right to obtain a copy of the corrected or amended record, in accordance with the Privacy Act right of access procedures described in §§ 16.41 through 16.45.

(d) Adverse determination to a Privacy Act request for amendment or correction. A component that makes an adverse determination to a Privacy Act request for amendment or correction, in whole or in part, shall notify the requester of the determination in writing. An adverse determination to a Privacy Act request for amendment or correction includes a decision by the component that: the information at issue is not a record as defined by the Privacy Act; the requested record is not subject to amendment or correction as stated in paragraph (i) of this section; the request does not reasonably describe the records sought or the amendment or correction to that record; the record at issue does not exist, cannot be located, has been destroyed, or otherwise cannot be amended or corrected; or the record is maintained with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness in any determination about the individual about whom the record pertains.

(e) Content of adverse determination response. An adverse determination to a Privacy Act request for amendment or correction, in whole or in part, shall be signed by the head of the component, or the component head's designee, and shall include:

(1) The name and title or position of the person responsible for the adverse determination to the Privacy Act request for amendment or correction;

(2) A brief statement of the reason(s) for the adverse determination to the Privacy Act request for amendment or correction, including any Privacy Act exemption(s) applied by the component; and

(3) A statement that the adverse determination to the Privacy Act request for amendment or correction may be appealed under paragraph (f) of this section and a description of the requirements set forth in paragraph (f).

(f) Privacy Act amendment appeals. (1) A requester may appeal an adverse determination to a Privacy Act request for amendment or correction, in whole or in part, to the Office of Privacy and Civil Liberties (“OPCL”). The contact information for OPCL is available at https://www.justice.gov/privacy. The requester must make the appeal in writing. To be considered timely, the requester must postmark the appeal request, or in the case of electronic submissions, submit the appeal request, within 90 calendar days after the date of the component's refusal to grant a Privacy Act request for amendment or correction. The appeal should indicate the assigned request number and clearly identify the component's determination that is being appealed. To facilitate handling, the requester should mark both the appeal letter and envelope, or include in the subject line of the electronic transmission, “Privacy Act Amendment Appeal.”

(2) The Chief Privacy and Civil Liberties Officer (“CPCLO”), or a designee of the CPCLO, will act on behalf of the Attorney General on all Privacy Act amendment appeals under this section, unless otherwise directed by the Attorney General.

(3) A Privacy Act amendment appeal ordinarily will not be adjudicated if the request becomes a matter of litigation.

(4) A decision on a Privacy Act amendment appeal must be made in writing. A decision that upholds a component's adverse determination to a Privacy Act request for amendment or correction, in whole or in part, shall include a brief statement of the reason(s) for the affirmance, including any Privacy Act exemption applied, whether the requester has a right to file a Statement of Disagreement, as described in paragraph (g) of this section, and the requester's statutory right to file a lawsuit. A decision that reverses or modifies a component's adverse determination to a Privacy Act request for amendment or correction, in whole or in part, shall notify the requester of the specific reversal or modification. The component shall thereafter further process the request, in accordance with the appeal decision, and respond directly to the requester, as appropriate.

(g) Statement of Disagreement. If a request is subject to a Privacy Act request for amendment or correction, but the component's adverse determination to a Privacy Act request for amendment or correction is upheld, in whole or in part, the requester has the right to file a Statement of Disagreement that states the requester's reason(s) for disagreeing with the Department's refusal to grant the requester's Privacy Act request for amendment or correction. Statements of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. A Statement of Disagreement must be sent to the component involved, which shall place it in the system of records in which the disputed record is maintained so that the Statement of Disagreement supplements the disputed record. The component shall mark the disputed record to indicate that a Statement of Disagreement has been filed and where in the system of records it may be found.

(h) Notification of amendment, correction, or Statement of Disagreement. Within thirty (30) working days of the amendment or correction of a record, the component that maintains the record shall notify all persons, organizations, or agencies to which it previously disclosed the record, if an accounting of that disclosure was made, that the record has been amended or corrected. If an individual has filed a Statement of Disagreement, the component shall append a copy of it to the disputed record whenever the record is disclosed. The component may also append a concise statement of its reason(s) for denying the Privacy Act request for amendment or correction of the record.

(i) Records not subject to amendment or correction. The following records are not subject to amendment or correction:

(1) Copies of court records;

(2) Transcripts of testimony given under oath or written statements made under oath;

(3) Transcripts of grand jury proceedings, judicial proceedings, or quasi-judicial proceedings, which are the official record of those proceedings;

(4) Presentence reports, and other records pertaining directly to such reports originating with the courts;

(5) Records in a system of records that have been exempted from amendment and correction, pursuant to 5 U.S.C. 552a(j) or (k), through the applicable regulations in this subpart; and

(6) Records not maintained in a system of records.

(a) Requirements for making a Privacy Act request for accounting of record disclosures. Except where accountings of disclosures are not required to be kept as stated in paragraph (c) of this section, individuals may make a Privacy Act request for an accounting of record disclosures about themselves that have been made by the Department to another person, organization, or agency. This accounting contains the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. If the requester believes that the same record is in more than one system of records, the requester should address their request to each component that the requester believes maintains the record. For the quickest possible handling, requesters should mark both their request letters and envelopes “Privacy Act Accounting Request.” Requests must otherwise follow the procedures in § 16.41.

(b) Processing Privacy Act requests for an accounting of record disclosures. Unless otherwise specified in this section, components shall process Privacy Act requests for accountings of record disclosures following the procedures in §§ 16.42 and 16.43.

(c) Where accountings of record disclosures are not required. Components are not required to provide Privacy Act accountings of record disclosures to a requester in cases in which they relate to:

(1) Disclosures of information not subject to the Privacy Act;

(2) Disclosures of records not maintained in a system of records;

(3) Disclosures of records maintained in a system of records for which accountings are not required to be kept, including disclosures to those officers and employees of the Department who have a need for the record in the performance of their duties, 5 U.S.C. 552a(b)(1), or disclosures that are required under the FOIA, 5 U.S.C. 552a(b)(2);

(4) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which the disclosures are sought; or

(5) Disclosures made from systems of records that have been exempted from the accounting of record disclosure requirements pursuant to the Privacy Act, 5 U.S.C. 552a(j) or (k), through the applicable regulations in this subpart.

(d) Appeals. A requester may appeal a component's refusal to grant a Privacy Act request for an accounting of record disclosures in the same manner, and under the same procedures, as a Privacy Act access appeal, as set forth in § 16.45.

Each component shall preserve all correspondence pertaining to the requests that it receives under this subpart, as well as copies of all requested records, until disposition or destruction is authorized by title 44 of the United States Code or by the National Archives and Records Administration's General Records Schedule 4.2. Records shall not be disposed of while they are the subject of a pending request, appeal, or lawsuit under the Privacy Act.

Components shall charge fees for duplication of records under the Privacy Act in the same way in which they charge duplication fees for responding to FOIA requests under § 16.10. No search or review fee may be charged for any record unless the record has been exempted from access pursuant to exemptions enumerated in the Privacy Act, 5 U.S.C. 552a(j)(2) or (k)(2).

(a) Legal process disclosures. Components shall make reasonable efforts to provide notice to an individual whose record is disclosed under compulsory legal process, such as an order by a court of competent jurisdiction, and such process becomes a matter of public record. Notice shall be given within a reasonable time after the component's receipt of process, except that in a case in which such process is not a matter of public record, the notice shall be given within a reasonable time only after such process becomes public. Where an individual, or the individual's legal counsel, has not otherwise received notice of the disclosure in the litigation process, notice shall be mailed to the individual's last known address and shall contain a copy of such process and a description of the information disclosed. Notice shall not be required if disclosure is made from a system of records that has been exempted from the notice requirement.

(b) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting health or safety, the component shall notify that individual of the disclosure. This notice shall be mailed to the individual's last known address and shall state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying the disclosure.

(a) Each component shall establish and maintain administrative, technical, and physical controls consistent with applicable Department and Government-wide laws, regulations, policies, and standards, to ensure the security and confidentiality of records, and to protect against reasonably anticipated threats or hazards to their security or integrity, including against any reasonably anticipated unauthorized access, use, or disclosure, which could result in substantial harm, embarrassment, inconvenience, or unfairness to individuals about whom information is maintained. The stringency of these controls shall correspond to the sensitivity of the records that the controls protect. At a minimum, each component shall maintain administrative, technical, or physical controls to ensure that:

(1) Records are protected from unauthorized access, including unauthorized public access;

(2) The physical area in which records are maintained is supervised or appropriately secured to prevent unauthorized persons from having access to them;

(3) Records are protected from damage, loss, or unauthorized alteration or destruction; and

(4) Records are not disclosed to unauthorized persons or to authorized persons for unauthorized purposes in either oral or written form.

(b) Each component shall establish procedures that restrict access to records to only those individuals within the Department who must have access to those records in order to perform their duties and that prevent inadvertent disclosure of records.

(c) The CPCLO, or a designee of the CPCLO, may impose additional administrative, technical, or physical controls to protect records in consultation with the Chief Information Officer and the Director of the Office of Records Management Policy.

(a) Any approved contract for the operation of a system of records shall contain the standard contract terms and conditions in accordance with the Federal Acquisition Regulations in 48 CFR chapter 28 and may also contain additional privacy-related terms and conditions to ensure compliance with the requirements of the Privacy Act for that system of records. The contracting component will be responsible for ensuring that the contractor complies with these contract requirements.

(b) The CPCLO, a designee of the CPCLO, or contracting components may impose additional contract requirements to further protect records.

(a) Purpose and scope. This section contains the rules that the Department of Justice follows in handling Social Security account numbers in accordance with section 7 of the Privacy Act, and with the Social Security Fraud Prevention Act.

(b) Definitions. For the purposes of this section:

Mail means any physical package sent to entities or individuals outside the Department through the United States Postal Service or any other express mail carrier; and

Necessary includes only those circumstances in which a component would be unable to comply, in whole or in part, with a legal, regulatory, or policy requirement if prohibited from mailing the full Social Security account number. Including the full Social Security account number of an individual on a document sent by mail is not “necessary” if a legal, regulatory, or policy requirement could be satisfied by either partially redacting the Social Security account number in accordance with paragraph (d)(3) of this section, or entirely removing the Social Security account number.

(c) Denial of rights, benefits, or privileges. Components are prohibited from denying any right, benefit, or privilege provided by law to an individual because of such individual's refusal to disclose the individual's Social Security account number. This paragraph (c) shall not apply with respect to:

(1) Any disclosure that is required by Federal statute; or

(2) The disclosure of a Social Security account number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

(d) Restriction of Social Security account numbers on documents sent by mail. (1) A component shall not include the full Social Security account number of an individual on any document sent by mail, unless the inclusion of the Social Security account number on the document is necessary. Unless the Attorney General directs otherwise, the CPCLO is authorized to assist components in implementing this paragraph (d), including determining whether inclusion of the Social Security account number on a document sent by mail is necessary.

(2) If the use of the full Social Security account number on a document sent by mail is necessary, the component sending the document shall implement appropriate administrative, technical, and physical safeguards to ensure a reasonable level of security against unauthorized access to, and use, disclosure, disruption, modification, or destruction of, the documents sent by mail.

(3) Where feasible, components should partially redact the Social Security account number on any document sent by mail by including no more than the last four digits of the Social Security account number. Components should prioritize technical methods to redact Social Security account numbers.

(4) Components are prohibited from placing a Social Security account number, whether full or partially redacted, on the outside of any mail.

(e) Employee awareness. Each component shall ensure that employees authorized to collect Social Security account numbers are made aware of the following:

(1) The requirements of paragraphs (c) and (d) of this section;

(2) That individuals requested to provide their Social Security account numbers must be informed of:

(i) Whether providing Social Security account numbers is mandatory or voluntary;

(ii) Any statutory or regulatory authority that authorizes the collection of Social Security account numbers; and

(iii) The uses that will be made of the Social Security account numbers; and

(3) That the Department may have other regulations or polices regulating the use, maintenance, or disclosure of Social Security account numbers by which employees must abide.

Each component shall inform its employees and any contractors involved in developing or maintaining a system of records of the provisions of the Privacy Act, including the Privacy Act's civil liability and criminal penalty provisions. Unless otherwise permitted by law, employees and contractors of the Department shall:

(a) Collect from individuals only the information that is relevant and necessary to discharge the responsibilities of the Department;

(b) Collect information about an individual directly from that individual whenever practicable;

(c) Inform each individual asked to supply information for a record pertaining to that individual of:

(1) The legal authority to collect the information and whether providing it is mandatory or voluntary;

(2) The principal purpose for which the Department intends to use the information;

(3) The routine uses the Department may make of the information; and

(4) The effects on the individual, if any, of not providing the information;

(d) Ensure that the component maintains no system of records without public notice and that it notifies appropriate Department officials of the existence or development of any system of records that is not the subject of a current or planned public notice;

(e) Maintain all records that are used by the Department in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

(f) Except as to disclosures made to an agency or made under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete;

(g) Maintain no record describing how an individual exercises the individual's First Amendment rights, unless maintaining the record is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity;

(h) When required by the Privacy Act, maintain an accounting in the specified form of all disclosures of records by the Department to persons, organizations, or agencies;

(i) Maintain and use records with care to prevent the loss or the unauthorized or inadvertent disclosure of a record to anyone;

(j) Notify the appropriate Department official of any record that contains information that the Privacy Act does not permit the Department to maintain; and

(k) Read, acknowledge, and agree to abide by the Department of Justice rules of behavior for accessing, collecting, using, and maintaining Department information.

Nothing in this subpart shall be construed to entitle any person, as of right, to any service or to the disclosure of any record to which such person is not entitled under the Privacy Act, the Social Security Fraud Reduction Act, or the Judicial Redress Act.